Using a YubiKey as authentication for an encrypted disk
Image by Silas Köhler on Unsplash
Recently I built a small desktop computer to run applications that were a bit much for my laptop to handle, intending to bring it with me when I work outside my apartment. However, there was an immediate issue with this plan. Because this computer was intended for use with sensitive information/source code, I needed to encrypt the disk, which meant that I’d need to enter a passphrase before I could boot it up.
I didn’t really want to haul a keyboard and monitor around with me, so I came up with an alternative solution: using a YubiKey as my method of authentication. This allowed me to avoid the need to type a password without giving up security. In this post I’ll show you how you can do the same.
First off, you need a YubiKey, if you don’t have one already. I ended up getting the YubiKey 5C NFC.
While I waited for my YubiKey to arrive, I installed Ubuntu 20.04 with full-disk encryption (using the default option of LUKS, or Linux Unified Key Setup) on the computer. I set a passphrase like normal—the process I describe in this post allows access with either this passphrase or the YubiKey.
Next, there were two packages that I needed to configure everything:
- yubikey-personalization allows you to change the settings on your YubiKey. I installed it from the Ubuntu repository and had no problems.
- yubikey-luks is what lets you use the YubiKey as an authentication method for a LUKS setup. I initially installed this from Ubuntu’s repository as well, but the version they’ve got is fairly out of date and required both a YubiKey and passphrase instead of just the YubiKey. As I mentioned earlier, the main objective of setting this up was booting without a keyboard, so I installed the tool from source as detailed in its README.
Once you’ve got the above libraries installed, setup is simple. Step by step:
1. Configure your YubiKey to use challenge-response mode
A YubiKey has at least 2 “slots” for keys, depending on the model.
We will change only the second YubiKey slot so you will still be able to use your YubiKey for two-factor auth like normal.
Plug in your YubiKey and run the following command:
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
2. Find a free LUKS slot to use for your YubiKey
LUKS also allows for multiple key slots so that you can have different passphrases to unlock the encrypted data. Up to 8 key slots are available for LUKS1, and up to 32 for LUKS2.
Most setups only use the first slot for the main passphrase, but we can check by following these steps:
- First run
lsblkand figure out the name of your LUKS-encrypted disk partition. Mine was
- Now run
sudo cryptsetup luksDump /dev/nvme0n1p3. The output should look something like this:
LUKS header information Version: 2 Epoch: 11 Metadata area: [a smallish number] [bytes] Keyslots area: [a medium number] [bytes] UUID: [a UUID] Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: [a big number] [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 0: luks2 [Lots of information about this slot] Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 370259 Salt: [A bunch of bytes in hex format] Digest: [A bunch of bytes in hex format]
You’re looking specifically for a free keyslot, and the output here only shows anything in slot 0, so slot 1 should be free.
3. Assign your YubiKey to a free slot
You can do this with the following command (substituting in your own partitition name and slot number):
sudo yubikey-luks-enroll -d /dev/nvme0n1p3 -s 1
This command will ask you for a passphrase. It doesn’t need to be a particularly complex one, because it’ll only work with your YubiKey.
4. Update crypttab and ykluks.cfg
Now you need to add
/etc/crypttab. For example, mine started as:
nvme0n1p3_crypt UUID=[uuid-here] none luks,discard
After the change, it should look like this:
nvme0n1p3_crypt UUID=[uuid-here] none luks,discard,keyscript=/usr/share/yubikey-luks/ykluks-keyscript
Finally, you need to configure yubikey-luks to give the passphrase you just set so you don’t have to. Open
/etc/ykluks.cfg and add the line
YUBIKEY_CHALLENGE="[your new passphrase here]"
Once you’ve added this line, run
sudo update-initramfs -u and you’re done!
Now if you shut your machine off, plug in your YubiKey, and turn it on, it should boot all the way without needing a passphrase. If you forget to plug in the YubiKey before turning the computer on, you’ll probably need to hold the contact button on it for a second or two and then it should boot just the same.
And there you go! A YubiKey provides neat way to securely start up a computer with an encrypted disk without needing a passphrase.