/usr/share/doc/yubikey-luks/README.md is in yubikey-luks 0.3.3+3.ge11e4c1-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 | Yubikey for LUKS
================
This package is inspired and based on https://github.com/tfheen/ykfde.
This enables you to use the yubikey as 2FA for LUKS.
The Password you enter is used as challenge for the yubikey
The keyscript allows to boot the machine with either
the password and the Yubikey or with a normal password
from any key slot.
initialize Yubikey
------------------
Initialize the Yubikey for challenge response in slot 2
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
install package
---------------
Build the package:
make builddeb
Install the package:
dpkg -i DEBUILD/yubikey-luks_0.?-1_all.deb
Assign a Yubikey to an LUKS slot
--------------------------------
You can now assign the Yubikey to a slot using the tool
yubikey-luks-enroll
Note: The partition is hardcoded in yubikey-luks-enroll. You might need to change this!
Technically this is done by writing the response to your password (1st factor
knowlege) created by the Yubikey (2nd factor possession) to a key slot.
Admitted - If the attacker was able to phish this response which looks like
this:
bd438575f4e8df965c80363f8aa6fe1debbe9ea9
it can be used as normal password.
Manage several Yubikeys and Machines
------------------------------------
It is possible to manage several Yubikeys and machines.
You need to use privacyIDEA to maange the Yubikeys and
the privacyIDEA admin client to push the Yubikey responses
to the LUKS slots.
See https://github.com/privacyidea/privacyideaadm and
https://github.com/privacyidea/privacyidea
|