LUKS + challenge-response

[GoogleCodeExporter]

I'm trying to implement a "luksOpen" method based on challenge-response instead 
of a passphrase. This requires storing 20 bytes (the challenge) somewhere.

Currently, I'm using a file, but I think it would be great to include the 
challenge somewhere in the LUKS header. Any idea how to do it without breaking 
everything?

Thanks a lot!

Original issue reported on code.google.com by bluewhis...@gmail.com on 27 Jun 2012 at 9:36

[GoogleCodeExporter]

Seems this issue fell through the crack... sorry for late reply!

I do not think that it is safe to save any special data for the current version 
of LUKS header (there are other parsers in the wild and almost for sure they 
will corrupt such info).

Anyway, it is another possible feature for new version of LUKS header.

What exactly do you need (if the issue is still alive)? Do you have some code 
available to explain the idea?
(For future I can imagine some special keyslot to store such external data.)

Original comment by gmazyl...@gmail.com on 17 Mar 2013 at 8:38

• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

No problem, I though that I would never get an answer ;-)

At present, I've done a basic patch to have this work on my laptop. (the goal 
was to be able to unlock the root filesystem using a Yubikey).

I've uploaded the code on github, which should be easy to understand: 
https://github.com/lfasnacht/ykluks

Original comment by bluewhis...@gmail.com on 18 Mar 2013 at 7:01

[GoogleCodeExporter]

having ANY challeenge info in the device or header of the container IT unlocks 
is not only stupid and bad practice it defeats itself

Original comment by sheldon....@gmail.com on 7 Dec 2014 at 3:33

[GoogleCodeExporter]

Any updates on challenge-response being implemented?

Original comment by kas...@kashifshah.net on 16 Jan 2015 at 1:49