Ubuntu: Changing the Crypt (Plymouth) Login Screen

So, with all of this customisation of my Ubuntu machine going on, there had to be something else that I could configure, right? Well, there’s a lot, actually, but from the purely aesthetical point of view, the crypt screen was the next logical choice.

For those of you who may not be aware, and haven’t implemented encryption via Yubikey and LUKS, you can encrypt your volume and are forced to enter it on boot to get into the system. Think of it like BitLocker™ for Windows™®, only better.

celtic-come-at-me-bro

Oh, yeah, that’s right: I said it…

Anyways, the first thing that you’ll want to do is find a Plymoth theme. There’s actually a site full of them, here, and there’s – arguably – hundreds (if not thousands) more that you could find across the internet.

So, first things first, we download the theme. In my case it was the Paw Ubuntu/Mint Floral theme, just for the sake of proof-of-concept and the aesthetic appeals to me. YYMV. However, this is the them being used in this haphazard “how-to”.

Once the file is downloaded, extract it. (NOTE: Make sure that the script’s name matches the folder name; otherwise, the later regex will fail.) Move the contents of the inner parent to the shared directory on Ubuntu:

$ sudo mv Paw-Ubuntu-Floral /usr/share/plymouth/themes/

Now that it’s copied, we need to tell Ubuntu to build a new boot screen with the one we just copied over. This is fairly easy to do (kind of) in all of three commands:

$ sudo update-alternatives --install /usr/share/plymouth/themes/default.plymouth default.plymouth /usr/share/plymouth/themes/Paw-Ubuntu-Floral/paw-ubuntu-floral.plymouth 100 $ sudo update-alternatives --config default.plymouth
Det finns 2 val för alternativet default.plymouth (som tillhandahåller /usr/share/plymouth/themes/default.plymouth).

  Val          Sökväg                                                                 Prioritet  Status
------------------------------------------------------------
* 0            /usr/share/plymouth/themes/ubuntu-logo/ubuntu-logo.plymouth               100       automatiskt läge
  1            /usr/share/plymouth/themes/Paw-Ubuntu-Floral/paw-ubuntu-floral.plymouth   100       manuellt läge
  2            /usr/share/plymouth/themes/ubuntu-logo/ubuntu-logo.plymouth               100       manuellt läge

Tryck  för att behålla nuvarande val[*], eller ange urvalsnummer: 1       
update-alternatives: använder /usr/share/plymouth/themes/Paw-Ubuntu-Floral/paw-ubuntu-floral.plymouth för att tillhandahålla /usr/share/plymouth/themes/default.plymouth (default.plymouth) i manuellt läge

$ sudo update-initramfs -u
update-initramfs: Generating /boot/initrd.img-4.15.0-46-generic

If you receive the following error, you probably didn’t verify the file name of the script, like I suggested in the section above:

W: plymouth module (/usr/lib/x86_64-linux-gnu/plymouth//.so) missing, skipping that theme.

If so, go back and change the name of the script and restart this entire process over from the beginning. (Yes, I know, which is why I cautioned you about it, before…)

Alright, assuming all went well, all you need to do, now, is to reboot and you’ll see your newfound plymouth theme when you’re prompted to input your credentials for the disk’s encryption.

Thanks for coming to this NERDTalk™ and happy Ubuntuing!

Ubuntu 18.04 (LTS): Disk Encryption with YubiKey

(WARNING: If you don’t read this, very carefully, you’ll shoot your eye out! If you do, might I suggest Bacon Pancakes to cheer you up? Or Christopher Walken dancing?)

The suggested soundtrack for this post comes from MASTER BOOT RECORD. The genre is called “chiptune” and a big shout-out to my friend, Wes, on keying me into them.

In one of my previous posts, I covered using the YubiKey to lock the machine when it’s removed. I intend to do one on configuring the machine to require the YubiKey for login but that’ll be for another day (if I get around to it). For now, the last remaining piece is to tie the disk’s encryption to the Yubikey, which is what we’ll be doing in this post.

The first thing that we’ll want to do is add the PPA for PrivacyIdea:

sudo add-apt-repository ppa:privacyidea/privacyidea

If your device is configured like mine, adding a PPA will automatically launch apt-get update. If not, then – of course – have apt-get update the list of available packages:

sudo apt-get update

Next, we’ll install the YubiKey-LUKS package that we need to tie the LUKS encryption to the YubiKey.

sudo apt-get install yubikey-luks

Since I’ve already used Slot 2 in the YubiKey for login, I’m going to use Slot 1 for the disk encryption. You’ll need to plug-in your YubiKey for this.

(BE FOREWARNED: You will nuke whatever key is currently in that slot. This is an unrecoverable action.):

ykpersonalize -1 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

Then, we’ll need to add a new key to Slot 7, which will be used when you input your password to the challenge from Yubikey. (Read: It’s not actually your password being stored there.)

sudo yubikey-luks-enroll -d /dev/sda3 -s 7

As soon as you do this, Ubuntu should prompt you to reboot. Do so and verify that your new password works. If it doesn’t, your old password should still work to get into the drive.

Now that we’ve set it up and verified that it’s working, let’s delete the original password because we’re concerned with security, yeah?

First, let’s get a list of the slots and see which one is open:

sudo cryptsetup luksDump /dev/sda3
[sudo] lösenord för [REDACTED]: 
LUKS header information for /dev/sda3

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha256
Payload offset:	4096
MK bits:       	512
MK digest:     	[REDACTED] 
MK salt:       	[REDACTED] 
MK iterations: 	105194
UUID:          	a806d67c-9357-4860-a296-948be2090293

Key Slot 0: ENABLED
	Iterations:         	1683106
	Salt:               	[REDACTED] 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: ENABLED
	Iterations:         	1583950
	Salt:               	[REDACTED] 
	Key material offset:	3536
	AF stripes:            	4000

Now that we know Slot 0 was the O.G. key holder (because we added to Slot 7 and the rest of the slots are disabled), we can target it for removal.

To do that, we’ll run the following command.

(BE FOREWARNED: You will deleting the only passphrase that doesn’t require the YubiKey to be present in the system. If you haven’t rebooted the machine to verify the passphrase+YubiKey combination, I strongly urge you not to do this step.):

sudo cryptsetup -q luksKillSlot /dev/sda3 0

To verify, let’s dump the LUKS Slots again (redacted for brevity):

Key Slot 0: DISABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: ENABLED

And, now, the disk is only protected by the password+YubiKey combination. So, if the device gets stolen and the YubiKey isn’t in it (say, when I’m travelling), then the device is pretty useless – that is, unless you reformat it and start with new operating system.

Thanks for coming to this NERDTalk™ and I hope it helps you in your security endeavours in the future. 🙂