-
Notifications
You must be signed in to change notification settings - Fork 56
Noob Install by noob :
-Installation-
When encrypting your drive from install pick a very secure and complex passphrase!
Note: if you are not familiar with this topic, stop now and backup your data. Partitions can change from machine to machine along with slots. You can easily nuke or lock yourself out of your machine forever.
---From CLI---
Gain root:
sudo su -
Prepare YubiKey (make sure you plug it into your usb):
apt-get install yubikey-personalization ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Install PrivacyIdea yubikey package:
add-apt-repository ppa:privacyidea/privacyidea apt-get install yubikey-luks
Verify where your encrypted drive is (mine is /dev/sda5): Luks Dump the device and verify slot 7 is disabled:
cryptsetup -v luksDump /dev/sda5
To clear slot use:
cryptsetup luksKillSlot /dev/sda5 7
Create temporary random key for slot:
dd if=/dev/sda5 of=luks-secret.key bs=1 count=4096
Assign key to slot 7:
cryptsetup luksAddKey /dev/sda5 luks-secret.key --key-slot 7
Enroll your YubiKey; note: -d = device, -s = slot:
yubikey-luks-enroll -d /dev/sda5 -s 7
It will ask you for password (use the original passphrase you used to encrypt the disk) It will ask you for a new password. It will ask you to enter it a second time. It will ask you for a new passphrase.
Shred your temporary key file:
shred --remove --zero luks-secret.key
Reboot:
reboot
When logging in you can type your really crazy long passphrase without the yubi key and gain entry. If you are in hostile place simply plugin your yubikey and enter your new password. It will only authenticate if the yubikey is plugged directly into your laptop. _When you leave your laptop take your yubikey with you to prevent any shoulder surfers from gaining access even if they have your new pass. _
Hope this helps noobs like me.