YubiKey for LUKS encryption

After setting up LUKS encryption for my root filesystem, I was wondering if you can use a YubiKey to secure it. Turns out you can!

With the setup described in my previous post there are two practical ways in which you can use your YubiKey: As a second factor necessary to access your partition or as a single factor alternative to a passphrase.

Using a long and complicated passphrase makes cracking LUKS (especially LUKS2) encryption an unlikely attack vector, but makes the boot process tedious if you're in a hurry. On the other hand, I want a “backup” method of accessing my files, if I lose the token. Of course, I can restore them from a backup too, but that might not be possible while not at home or somewhere without internet access. I will outline the process of setting up the YubiKey as an alternative to a long passphrase on Arch linux. The hardware token is my main way of accessing the LUKS encrypted partiton, while there also is a long passphrase written down and stored safely somewhere that can be used alternatively.

Some LUKS basics

LUKS provides 8 key slots. These are not used to encrypt your data directly, but only to guard a master encryption key. This is the key that is responsable for encrypting all your precious bits. The slots can all be set and used independently, any one of them (if in use) can be used on it's own to access the master key.

This allows you to change the passphrase you need to enter to access the data without having to reencrypt the whole partition.

We will secure one of the slots with the yubikey and a different one with our backup passphrase.

You can use cryptestup to see your current configuration. In particular the Keyslots: section will show the slots in use.

cryptsetup luksDump /dev/sdb3


yubikey-full-disk-encryption package

comments powered by Disqus