-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using in 1FA mode with multiple drives #79
Comments
Hey, I got a similar problem. In my case the os is stored on one drive, data is stored on another, both holding the LUKS encryption layers and on top LVM volumes. After the installation of Debian 11 I followed the instructions to enroll the YubiKey and set up the the /etc/crypttab file. As a result the root partition (and since this is part of the "System" volume group the whole first drive) is decrypted by initramfs hook cryptroot during boot. The other drive is not decrypted using YubiKey, but later in boot time asking for the during the Debian installation set LUKS passphrase. As mentioned in /usr/share/initramfs-tools/hooks/cryptroot:
and
So, in my case the solution was to add the 'initramfs' option to each line in my crypttab. This will make cryptroot processing all marked LUKS partiontions in initramfs stage. In my case it means I'm asked twice for a password used for challenge response with the YubiKey, since I'd like to use 2FA. In case of 1FA I only guess that this will work to. It would be great to see a hint in README since it took me a long time to figure it out, and I found some more people asking the same questions but having no answers. My crypttab looks like:
|
Hi! I've got a working solution that integrates To make this work, the passkey derived from the challenge needs to be cached by Plus - as pointed out by @SE-1523 - you'll have to add the The final solution looks like this: /etc/crypttab:
This requires a patch of
(Error checking removed for clarity.) and a patch of
And finally the If @Vincent43 or @cornelinux think that this change would be worthwhile, I could provide a PR. But as this requires quite some extra work on my part please comment first whether such an approach adds value and would be secure. |
I may just be doing something wrong in my setup but I am trying to use the 1FA mode with 8 SSD's at boot. I am running a freshly installed Debian stable (bullseye) installation
Using the following ykluks.cfg file:
I have tried three crypttab configurations, one where only one drive decrypts on boot which works as expected, one where I am using the yubikey-luks keyscript with all drives at boot, and then another that attempts to use ykluks with decrypt_keyctl to cache the result for the other drives.
First configuration:
This works as you would expect, on boot, the system automatically queries the yubikey and then decrypts the main drive. I however want to decrypt all drives at boot if possible so I modified the crypttab to look like the following:
This I would think would be the default configuration however the behavior when running on this mode is that the password for one of the drives is asked (usually zfs_drive_1 or zfs_drive_2) and if I enter the manual password it would then decrypt all the rest of the drives and boot without any further prompts. The expected behavior is that the system just boots without user interaction, this will be important as this system will be a headless server.
Finally, I thought that perhaps it's running into an issue querying the yubikey so frequently so perhaps we could cache the result using the decrypt_keyctl keyscript however the system will no longer boot with the following crypttab:
This will result in the error
cryptesetup: ERROR: sda3_crypt: invalid value for keyscript options, skipping
I am not sure if it's possible to chain multiple keyscripts or how you would properly do it.For added clarity, I would do an
sudo update-initramfs -u
between each change of crypttab. I built yubikey-luks against the current master branch so its not the stale version in the stable repos.If anyone has this working on multiple drives has any ideas about what I should be doing please let me know!
The text was updated successfully, but these errors were encountered: