Differences

This shows you the differences between two versions of the page.

--- public:unlocking_debian_luks_with_a_yubikey_at_boot [2024/03/19 23:13] – [On the Debian system] thomas
+++ public:unlocking_debian_luks_with_a_yubikey_at_boot [2024/03/22 23:20] (current) – thomas
@@ Line 1: / Line 1: @@
 ====== Unlocking Debian LUKS with a Yubikey at boot ======
+You can use a Yubikey to unlock a Debian system at boot. For general info on managing LUKS, see [[public:managing_luks_on_debian|]].
 ===== On the Yubikey =====
@@ Line 79: / Line 81: @@
 </code>
-Now, only the combination of your Yubikey and passphrase will be able to unlock the disk!
+Now, only the combination of your Yubikey (or any other Yubikey with the same secret key) and passphrase will be able to unlock the disk! Make sure that you either have multiple Yubikeys with the same secret key , or that you have multiple Yubikeys with different secret keys enrolled. Otherwise you may lose all your data when a key breaks or is lost.
+===== Optional: bypass the passphrase =====
+:!: If you bypass the passphrase, you'll only rely on something you have, and not something you know. **I strongly advise against this** as it is less secure, but it can be preferred in some environments where interaction is not feasible.
+Open ''/etc/ykluks.cfg'' and append the following line:
+<code bash>
+YUBIKEY_CHALLENGE="your passphrase here"
+</code>
+Then, update your initramfs again:
+<code bash>
+update-initramfs -u
+</code>
 ===== References =====
 https://packages.debian.org/unstable/yubikey-luks \\
 https://www.endpointdev.com/blog/2022/03/disk-decryption-yubikey/
+{{tag>Debian LUKS Yubikey}}