The suggested soundtrack for this post comes from MASTER BOOT RECORD. The genre is called “chiptune” and a big shout-out to my friend, Wes, on keying me into them.
In one of my previous posts, I covered using the YubiKey to lock the machine when it’s removed. I intend to do one on configuring the machine to require the YubiKey for login but that’ll be for another day (if I get around to it). For now, the last remaining piece is to tie the disk’s encryption to the Yubikey, which is what we’ll be doing in this post.
The first thing that we’ll want to do is add the PPA for PrivacyIdea:
sudo add-apt-repository ppa:privacyidea/privacyidea
If your device is configured like mine, adding a PPA will automatically launch apt-get update. If not, then – of course – have apt-get update the list of available packages:
sudo apt-get update
Next, we’ll install the YubiKey-LUKS package that we need to tie the LUKS encryption to the YubiKey.
sudo apt-get install yubikey-luks
Since I’ve already used Slot 2 in the YubiKey for login, I’m going to use Slot 1 for the disk encryption. You’ll need to plug-in your YubiKey for this.
(BE FOREWARNED: You will nuke whatever key is currently in that slot. This is an unrecoverable action.):
ykpersonalize -1 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Then, we’ll need to add a new key to Slot 7, which will be used when you input your password to the challenge from Yubikey. (Read: It’s not actually your password being stored there.)
sudo yubikey-luks-enroll -d /dev/sda3 -s 7
As soon as you do this, Ubuntu should prompt you to reboot. Do so and verify that your new password works. If it doesn’t, your old password should still work to get into the drive.
Now that we’ve set it up and verified that it’s working, let’s delete the original password because we’re concerned with security, yeah?
First, let’s get a list of the slots and see which one is open:
sudo cryptsetup luksDump /dev/sda3 [sudo] lösenord för [REDACTED]: LUKS header information for /dev/sda3 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 512 MK digest: [REDACTED] MK salt: [REDACTED] MK iterations: 105194 UUID: a806d67c-9357-4860-a296-948be2090293 Key Slot 0: ENABLED Iterations: 1683106 Salt: [REDACTED] Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: ENABLED Iterations: 1583950 Salt: [REDACTED] Key material offset: 3536 AF stripes: 4000
Now that we know Slot 0 was the O.G. key holder (because we added to Slot 7 and the rest of the slots are disabled), we can target it for removal.
To do that, we’ll run the following command.
(BE FOREWARNED: You will deleting the only passphrase that doesn’t require the YubiKey to be present in the system. If you haven’t rebooted the machine to verify the passphrase+YubiKey combination, I strongly urge you not to do this step.):
sudo cryptsetup -q luksKillSlot /dev/sda3 0
To verify, let’s dump the LUKS Slots again (redacted for brevity):
Key Slot 0: DISABLED Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: ENABLED
And, now, the disk is only protected by the password+YubiKey combination. So, if the device gets stolen and the YubiKey isn’t in it (say, when I’m travelling), then the device is pretty useless – that is, unless you reformat it and start with new operating system.
Thanks for coming to this NERDTalk™ and I hope it helps you in your security endeavours in the future. 🙂