Ubuntu 18.04 (LTS): Disk Encryption with YubiKey

(WARNING: If you don’t read this, very carefully, you’ll shoot your eye out! If you do, might I suggest Bacon Pancakes to cheer you up? Or Christopher Walken dancing?)

The suggested soundtrack for this post comes from MASTER BOOT RECORD. The genre is called “chiptune” and a big shout-out to my friend, Wes, on keying me into them.

In one of my previous posts, I covered using the YubiKey to lock the machine when it’s removed. I intend to do one on configuring the machine to require the YubiKey for login but that’ll be for another day (if I get around to it). For now, the last remaining piece is to tie the disk’s encryption to the Yubikey, which is what we’ll be doing in this post.

The first thing that we’ll want to do is add the PPA for PrivacyIdea:

sudo add-apt-repository ppa:privacyidea/privacyidea

If your device is configured like mine, adding a PPA will automatically launch apt-get update. If not, then – of course – have apt-get update the list of available packages:

sudo apt-get update

Next, we’ll install the YubiKey-LUKS package that we need to tie the LUKS encryption to the YubiKey.

sudo apt-get install yubikey-luks

Since I’ve already used Slot 2 in the YubiKey for login, I’m going to use Slot 1 for the disk encryption. You’ll need to plug-in your YubiKey for this.

(BE FOREWARNED: You will nuke whatever key is currently in that slot. This is an unrecoverable action.):

ykpersonalize -1 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

Then, we’ll need to add a new key to Slot 7, which will be used when you input your password to the challenge from Yubikey. (Read: It’s not actually your password being stored there.)

sudo yubikey-luks-enroll -d /dev/sda3 -s 7

As soon as you do this, Ubuntu should prompt you to reboot. Do so and verify that your new password works. If it doesn’t, your old password should still work to get into the drive.

Now that we’ve set it up and verified that it’s working, let’s delete the original password because we’re concerned with security, yeah?

First, let’s get a list of the slots and see which one is open:

sudo cryptsetup luksDump /dev/sda3
[sudo] lösenord för [REDACTED]: 
LUKS header information for /dev/sda3

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha256
Payload offset:	4096
MK bits:       	512
MK digest:     	[REDACTED] 
MK salt:       	[REDACTED] 
MK iterations: 	105194
UUID:          	a806d67c-9357-4860-a296-948be2090293

Key Slot 0: ENABLED
	Iterations:         	1683106
	Salt:               	[REDACTED] 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: ENABLED
	Iterations:         	1583950
	Salt:               	[REDACTED] 
	Key material offset:	3536
	AF stripes:            	4000

Now that we know Slot 0 was the O.G. key holder (because we added to Slot 7 and the rest of the slots are disabled), we can target it for removal.

To do that, we’ll run the following command.

(BE FOREWARNED: You will deleting the only passphrase that doesn’t require the YubiKey to be present in the system. If you haven’t rebooted the machine to verify the passphrase+YubiKey combination, I strongly urge you not to do this step.):

sudo cryptsetup -q luksKillSlot /dev/sda3 0

To verify, let’s dump the LUKS Slots again (redacted for brevity):

Key Slot 0: DISABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: ENABLED

And, now, the disk is only protected by the password+YubiKey combination. So, if the device gets stolen and the YubiKey isn’t in it (say, when I’m travelling), then the device is pretty useless – that is, unless you reformat it and start with new operating system.

Thanks for coming to this NERDTalk™ and I hope it helps you in your security endeavours in the future. 🙂