Référence:
https://github.com/espegro/yubikey-luks
sudo apt install -y yubikey-luks yubikey-personalization
Inserer la yubikey
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -ochal-btn-trig -y
Firmware version 5.2.4 Touch level 1285 Program sequence 1
Configuration data to be written to key configuration 2:
fixed: m:
uid: n/a
key: h:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
acc_code: h:000000000000
OATH IMF: h:0
ticket_flags: CHAL_RESP
config_flags: CHAL_HMAC|HMAC_LT64|CHAL_BTN_TRIG
extended_flags: SERIAL_API_VISIBLE
Commit? (y/n) [n]: y
Reperer le nom de la partition chiffré:
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 4K 1 loop /snap/bare/5
loop10 7:10 0 476K 1 loop /snap/snapd-desktop-integration/157
nvme0n1 259:0 0 476,9G 0 disk
├─nvme0n1p1 259:1 0 1G 0 part /boot/efi
├─nvme0n1p2 259:2 0 2G 0 part /boot
└─nvme0n1p3 259:3 0 473,9G 0 part
└─dm_crypt-0 252:0 0 473,9G 0 crypt
└─ubuntu--vg-ubuntu--lv 252:1 0 100G 0 lvm /var/snap/firefox/common/host-hunspell
Dans notre cas la partition est nvme0n1p3
Verifier que le slot 1 est vide:
sudo cryptsetup luksDump /dev/nvme0n1p3
LUKS header information
Version: 2
Epoch: 3
...
Data segments:
0: crypt
....
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
...
Tokens:
Digests:
0: pbkdf2
Hash: sha256
...
Assigner la YubiKey au Slot 1 ( second slot )
sudo yubikey-luks-enroll -d /dev/nvme0n1p3 -s 1
setting disk to /dev/nvme0n1p3.
setting slot to 1.
This script will utilize slot 1 on drive /dev/nvme0n1p3. If this is not what you intended, exit now!
Adding yubikey to initrd
Please enter the yubikey challenge password. This is the password that will only work while your yubikey is installed in your computer:
Taper challenge associé a votre yubibey (mot de passe)
Ce n'est pas la clef de chiffrement du disque !
Ce challenge sera à renseigner dans le fichier
Please enter the yubikey challenge password again:
A noter: Vous devez toucher la YubiKey qui doit a ce moment la clignoter
Please provide an existing passphrase. This is NOT the passphrase you just entered, this is the passphrase that you currently use to unlock your LUKS encrypted drive:
<TAPER LA CLE DE CHIFFREMENT DU DISQUE>
Ajouter les options suivante : discard,keyscript=/usr/share/yubikey-luks/ykluks-keyscript
Initial
dm_crypt-0 UUID=277cf54a-eea2-4c61-85d0-66b2fb4573f4 none luks
Final
dm_crypt-0 UUID=277cf54a-eea2-4c61-85d0-66b2fb4573f4 none luks,discard,keyscript=/usr/share/yubikey-luks/ykluks-keyscript
Note:
Le script ykluks-keyscript de la distribution ubuntu semble ne pas fonctionner
le replacer par : https://github.com/cornelinux/yubikey-luks/blob/master/key-script
Ajouter
YUBIKEY_CHALLENGE="challenge associé a votre yubibey"
update-initramfs -u
Au prochain reboot, la yubikey vous sera demandé.
Vous n'avez rien à saisir, juste toucher la clef quand elle clignotera.