YubiKey Full Disk Encryption
(yubikey support for LUKS)
-
Build and install the package with "debuild" tool and dpkg
$ debuild -us -uc
-
Edit /etc/default/ykfde to select the correct partition (default: /dev/sda2)
-
Use yubikey configuration tool to set a slot (default: slot #2) in hmac challenge-response mode
-
Use ykfdectl utility (installed by this package) to pair with your yubikey
On bootup, you will be asked to insert your yubikey (2.2 or newer) which will then provide the response. If you do not want to use a yubikey, press enter and then enter a normal passphrase during bootup.
# ykfdectl update
This is still very basic.
# update-rc.d ykfde defaults
Or if you use systemd:
# systemctl enable ykfde.service
see /etc/default/ykfde
Normaly used to select only the slot
YKOPTS="-2"
The device which is used
LUKS_DEVICE="/dev/sda2"
LUKS slot, where your yubikey-challenged key is stored
LUKS_SLOT="7"
the challenge file, which is used to get a response
CHALLENGE_FILE="/boot/yubikey-challenge"
- might need more error-handling.
- lacks a two-factor-mode