eworm-de
commented
2 years ago This is not intended to be used that way. Just keep another key slot around with a human-friendly (but still strong!) password.
Open exincore opened 2 years ago
eworm-de
commented
2 years ago This is not intended to be used that way. Just keep another key slot around with a human-friendly (but still strong!) password.
What
Add a flag to the
ykdfeexecutable that prints the resulting luks keyslot passphrase instead of sending it to decrypt the drive.In other words, instead of calculating the luks keyslot and sending it to unlock the drive, this flag lets a user, on a booted system, to generate the valid luks key with their yubikey, without manually going through the steps below, and without also rolling the challenge salt.
Why
Manually changing the luks setup with this program is currently undocumented. The challenge has to be manually read from ykdfe's files, then up to the first
SHA1_MAX_BLOCK_SIZE/ 2 bits of the 2fa password has to be manually written over the beginning of that challenge , then the whole thing is fed intoykchalresp, and only then is there an output that can be used bycryptsetup luksOpenor similar. That is a clearly unpleasant process to do manually.