Differences

This shows you the differences between two versions of the page.

--- public:unlocking_debian_luks_with_a_yubikey_at_boot [2024/03/19 23:04] – [Try it out] thomas
+++ public:unlocking_debian_luks_with_a_yubikey_at_boot [2024/03/22 23:20] (current) – thomas
@@ Line 1: / Line 1: @@
 ====== Unlocking Debian LUKS with a Yubikey at boot ======
+You can use a Yubikey to unlock a Debian system at boot. For general info on managing LUKS, see [[public:managing_luks_on_debian|]].
 ===== On the Yubikey =====
@@ Line 5: / Line 7: @@
 You must set up your Yubikey with the [[https://docs.yubico.com/yesdk/users-manual/application-otp/how-to-program-a-challenge-response-credential.html|challenge-response algorithm]] in slot 2. One of the methods of doing so is using Yubico Authenticator.
 {{:public:yubikey_challenge-response.png|}}
+Note that, when setting up the challenge-response algorithm, you will be asked to enter a secret key. This key is at the heart of this method. Any Yubikey that has the same key set, will be able to generate the same responses to your challenges. Make sure it remains secret! During setup you can also determine if the key requires to be touched for the response to be generated.
 ===== On the Debian system =====
@@ Line 20: / Line 24: @@
 </code>
-Follow the on-screen instructions. You will also be asked to enter a passphrase. This passphrase will be used in the challenge-response algorithm, and will still be needed at boot. This way, to unlock your disk, you will need **something you have (the Yubikey)** and **something you know (the passphrase)**.
+Follow the on-screen instructions. You will also be asked to enter a passphrase. This passphrase will be used in the challenge-response algorithm, and will still be needed at boot. This way, to unlock your disk, you will need **something you have (the Yubikey)** and **something you know (the passphrase)**. Also note that the PIN of your Yubikey will not be asked when unlocking the disk. The passphrase already fulfills this purpose.
 Then, adjust ''/etc/crypttab'' and append the keyscript parameter to refer to the ykluks keyscript.
@@ Line 77: / Line 81: @@
 </code>
-Now, only the combination of your Yubikey and passphrase will be able to unlock the disk!
+Now, only the combination of your Yubikey (or any other Yubikey with the same secret key) and passphrase will be able to unlock the disk! Make sure that you either have multiple Yubikeys with the same secret key , or that you have multiple Yubikeys with different secret keys enrolled. Otherwise you may lose all your data when a key breaks or is lost.
+===== Optional: bypass the passphrase =====
+:!: If you bypass the passphrase, you'll only rely on something you have, and not something you know. **I strongly advise against this** as it is less secure, but it can be preferred in some environments where interaction is not feasible.
+Open ''/etc/ykluks.cfg'' and append the following line:
+<code bash>
+YUBIKEY_CHALLENGE="your passphrase here"
+</code>
+Then, update your initramfs again:
+<code bash>
+update-initramfs -u
+</code>
 ===== References =====
-https://packages.debian.org/unstable/yubikey-luks
+https://packages.debian.org/unstable/yubikey-luks \\
 https://www.endpointdev.com/blog/2022/03/disk-decryption-yubikey/
+{{tag>Debian LUKS Yubikey}}