Full disk encryption with Yubikey (Yubico key) for mkinitcpio

This allows to automatically unlock a LUKS encrypted hard disk from systemd- enabled initramfs.

Requirements

To compile and use yubikey full disk encryption you need:

• yubikey-personalization
• iniparser
• systemd
• cryptsetup
• keyutils and linux with CONFIG_KEYS
• mkinitcpio
• markdown (HTML documentation)
• libarchive (Update challenge on boot)

Additionally it is expected to have make and pkg-config around to successfully compile.

Build and install

Building and installing is very easy. Just run:

make

followed by:

make install-mkinitcpio

This will place files to their desired places in filesystem.

Usage

config files /etc/crypttab.initramfs and /etc/ykfde.conf

Make sure systemd knows about your encrypted device by adding a line to /etc/crypttab.initramfs. It should read like:

mapping-name /dev/LUKS-device -

Usually there is already an entry for your device.

Update /etc/ykfde.conf with correct settings. Add mapping-name from above to device name in the general section. Then add a new section with your key's decimal serial number containing the key slot setting. The minimal file should look like this:

[general]
device name = crypt

[1234567]
luks slot = 1

Be warned: Do not remove or overwrite your interactive key! Keep that for backup and rescue!

key setup

ykfde will read its information from these files and understands some additional options. Run ykfde --help for details. Then prepare the key. Plug it in, make sure it is configured for HMAC-SHA1. After that run:

ykfde

This will store a challenge in /etc/ykfde.d/ and add a new slot to your LUKS device. When ykfde asks for a passphrase it requires a valid passphrase from available slot.

Alternatively, adding a key with second factor (foo in this example) is as easy:

ykfde --new-2nd-factor foo

To update the challenge run:

ykfde --2nd-factor foo

And changing second factor (from foo to bar in this example) is straight forward:

ykfde --2nd-factor foo --new-2nd-factor bar

The current and new second factor can be read from terminal, increasing security by not displaying on display and not writing to shell history. Use switches --ask-2nd-factor and --ask-new-2nd-factor for that.

Make sure to enable second factor in /etc/ykfde.conf.

cpio archive with challenges

Every time you update a challenge and/or a second factor run:

ykfde-cpio

This will write a cpio archive /boot/ykfde-challenges.img containing your current challenges. Enable systemd service ykfde to do this automatically on every boot:

systemctl enable ykfde.service

mkinitcpio hook ykfde

Last add ykfde to your hook list in /etc/mkinitcpio.conf. You should already have systemd and sd-encrypt there as a systemd-enabled initramfs is prerequisite. Now rebuild your initramfs with:

mkinitcpio -p linux

boot loader

Update you grub configuration by running:

grub-mkconfig -o /boot/grub/grub.cfg

This will add new boot entry that loads the challenges. With other boot loaders make sure to load the cpio archive /boot/ykfde-challenges.img as additional initramfs.

Reboot and have fun!