yubikey-fde should have an enroll $disk $luksslot command.
Initial(1) enrollment consists of:
The currently connected Yubikey is queried for its serial number.
A random challenge is generated (TODO: What's the max length the Yubikey can handle?)
The challenge is sent to the Yubikey, the response gets stored in /etc/ykfde.d/${serial}-challenge
The response is then written to the defined Luks slot, Luks password request is dispatched
to console.
Yubikey is enrolled.
Updating(2) enrollment consists of:
The currently connected Yubikey is queried for its serial number.
The current challenge for this key is read from the challenge file.
The challenge is sent to the Yubikey, response is kept in memory.
An empty Luks slot will be determined. The current response is added again in that slot, using the existing passphrase to respond to Luks.
A new challenge is generated, sent to the Yubikey and the response stored.
The new passphrase is written to the specified Luks slot, using the old passphrase.
The new challenge is written to the challenge file.
Only now do we remove the old passphrase from the "backup" slot.
This should ensure that we don't accidentally kill a passphrase, if after step 8 the new challenge can't be reliably persisted we can fall back to the old challenge to go in and fix it manually.
It is important to panic!() immediately if any of the steps in updating go wrong.
Removing a Yubikey consists of:
Calling cryptsetup luksKillSlot $device $slot
Removing the challenge file for that serial number from /etc/ykfde.d
(1): Initial enrollment is using a specific Yubikey for the first time.
(2): Updating enrollment is creating a new challenge for a previously enrolled Yubikey.
yubikey-fde
should have anenroll $disk $luksslot
command.Initial(1) enrollment consists of:
/etc/ykfde.d/${serial}-challenge
Updating(2) enrollment consists of:
This should ensure that we don't accidentally kill a passphrase, if after step 8 the new challenge can't be reliably persisted we can fall back to the old challenge to go in and fix it manually. It is important to
panic!()
immediately if any of the steps in updating go wrong.Removing a Yubikey consists of:
cryptsetup luksKillSlot $device $slot
/etc/ykfde.d
(1): Initial enrollment is using a specific Yubikey for the first time. (2): Updating enrollment is creating a new challenge for a previously enrolled Yubikey.