search

tazjin / yubikey-fde

Full disk encryption with Yubikeys
MIT License
11 stars 1 forks source link

Support Enrollment #11

Open tazjin opened 9 years ago

tazjin commented 9 years ago

yubikey-fde should have an enroll $disk $luksslot command.

Initial(1) enrollment consists of:

  1. The currently connected Yubikey is queried for its serial number.
  2. A random challenge is generated (TODO: What's the max length the Yubikey can handle?)
  3. The challenge is sent to the Yubikey, the response gets stored in /etc/ykfde.d/${serial}-challenge
  4. The response is then written to the defined Luks slot, Luks password request is dispatched to console.
  5. Yubikey is enrolled.

Updating(2) enrollment consists of:

  1. The currently connected Yubikey is queried for its serial number.
  2. The current challenge for this key is read from the challenge file.
  3. The challenge is sent to the Yubikey, response is kept in memory.
  4. An empty Luks slot will be determined. The current response is added again in that slot, using the existing passphrase to respond to Luks.
  5. A new challenge is generated, sent to the Yubikey and the response stored.
  6. The new passphrase is written to the specified Luks slot, using the old passphrase.
  7. The new challenge is written to the challenge file.
  8. Only now do we remove the old passphrase from the "backup" slot.

This should ensure that we don't accidentally kill a passphrase, if after step 8 the new challenge can't be reliably persisted we can fall back to the old challenge to go in and fix it manually. It is important to panic!() immediately if any of the steps in updating go wrong.

Removing a Yubikey consists of:

  1. Calling cryptsetup luksKillSlot $device $slot
  2. Removing the challenge file for that serial number from /etc/ykfde.d

(1): Initial enrollment is using a specific Yubikey for the first time. (2): Updating enrollment is creating a new challenge for a previously enrolled Yubikey.