Thomas' Wiki

User Tools

Site Tools

Trace: Unlocking Debian LUKS with a Yubikey at boot Fixing Microsoft 365 Apps stuck updates Managing LXD (Incus) on Debian
public:unlocking_debian_luks_with_a_yubikey_at_boot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
public:unlocking_debian_luks_with_a_yubikey_at_boot [2024/03/19 23:12] thomaspublic:unlocking_debian_luks_with_a_yubikey_at_boot [2024/03/22 23:20] (current) thomas
Line 1: Line 1:
 ====== Unlocking Debian LUKS with a Yubikey at boot ====== ====== Unlocking Debian LUKS with a Yubikey at boot ======
 +
 +You can use a Yubikey to unlock a Debian system at boot. For general info on managing LUKS, see [[public:managing_luks_on_debian|]].
  
 ===== On the Yubikey ===== ===== On the Yubikey =====
Line 22: Line 24:
 </code> </code>
  
-Follow the on-screen instructions. You will also be asked to enter a passphrase. This passphrase will be used in the challenge-response algorithm, and will still be needed at boot. This way, to unlock your disk, you will need **something you have (the Yubikey)** and **something you know (the passphrase)**.+Follow the on-screen instructions. You will also be asked to enter a passphrase. This passphrase will be used in the challenge-response algorithm, and will still be needed at boot. This way, to unlock your disk, you will need **something you have (the Yubikey)** and **something you know (the passphrase)**. Also note that the PIN of your Yubikey will not be asked when unlocking the disk. The passphrase already fulfills this purpose.
  
 Then, adjust ''/etc/crypttab'' and append the keyscript parameter to refer to the ykluks keyscript. Then, adjust ''/etc/crypttab'' and append the keyscript parameter to refer to the ykluks keyscript.
Line 79: Line 81:
 </code> </code>
  
-Now, only the combination of your Yubikey and passphrase will be able to unlock the disk!+Now, only the combination of your Yubikey (or any other Yubikey with the same secret key) and passphrase will be able to unlock the disk! Make sure that you either have multiple Yubikeys with the same secret key , or that you have multiple Yubikeys with different secret keys enrolled. Otherwise you may lose all your data when a key breaks or is lost. 
 + 
 +===== Optional: bypass the passphrase ===== 
 +:!: If you bypass the passphrase, you'll only rely on something you have, and not something you know. **I strongly advise against this** as it is less secure, but it can be preferred in some environments where interaction is not feasible. 
 + 
 +Open ''/etc/ykluks.cfg'' and append the following line: 
 + 
 +<code bash> 
 +YUBIKEY_CHALLENGE="your passphrase here" 
 +</code> 
 + 
 +Then, update your initramfs again: 
 +<code bash> 
 +update-initramfs -u 
 +</code> 
 ===== References ===== ===== References =====
 https://packages.debian.org/unstable/yubikey-luks \\ https://packages.debian.org/unstable/yubikey-luks \\
 https://www.endpointdev.com/blog/2022/03/disk-decryption-yubikey/ https://www.endpointdev.com/blog/2022/03/disk-decryption-yubikey/
 +
 +{{tag>Debian LUKS Yubikey}}
public/unlocking_debian_luks_with_a_yubikey_at_boot.1710889933.txt.gz · Last modified: by thomas
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki