1

I have a LUKS encrypted drive on Kdeo Neon 5.27. The LUKS password is long and tedious to type in. Given how much KDE reboots, I'm tired of typing in my password so I bought a Yubikey to speed up the process. Then I followed the instructions on https://github.com/cornelinux/yubikey-luks or more specifically I did:

  1. sudo apt update && sudo apt install yubikey-personalization-gui yubikey-luks -y
  2. Insert Yubikey
  3. ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
  4. yubikey-luks-enroll
  5. Set the Yubikey passphrase to something easier.
  6. lsblk
  7. Discover that I have two encrypted partitions, /root and swap.
  8. Edit /etc/crypttab adding ,keyscript=/usr/share/yubikey-luks/ykluks-keyscript to the end of the line for each of the encrypted partitions.
  9. Ran update-initramfs -u
  10. Rebooted

Unfortunately, when my system booted up again, I still had to enter my full LUKS password. After which I was prompted to use my Yubikey with it's passphrase twice to complete the login. The end result is that login now requires an additional step on top of typing in the long and tedious password from before.

Improve this question

1 Answer 1

Reset to default
1

I found the solution was to use a static password with my Yubikey. This defeats the Yubikey feature of 2FA security instead only providing 1FA, but for the stated purpose of speeding up the authentication process, this is a fair trade off.

Yubico has a tutorial video explaining how to do this: https://www.youtube.com/watch?v=Hd1hYyGcSEg

The general steps are:

  1. Install the YubiKey Personalization tool
sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install yubikey-personalization yubikey-personalization-gui
  1. Insert your Yubikey.
  2. Run the personalization tool.
  3. Select Static Password Mode.
  4. Select slot 2.
  5. Click the "Scan Code" button.
  6. Type your LUKS password into the password box.
  7. Click the Write Configuration button.
  8. Store the configuration_log.csv file somewhere safe or delete it (your choice).
  9. Open up a text editor.
  10. Press the button on your YubiKey for 3 seconds or longer.
  11. When you see your password show up followed by a new line, you know that it works.
  12. Delete the text, close your editor, and reboot.
  13. When prompted for your password, insert the YubiKey, long press for 3 seconds, and you're in.

*For additional security, you can leave the first few characters of your password out when setting up the YubiKey. Then each time you'll have to enter that missing portion of the password first, before long pressing the YubiKey button.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .