disregard my ignorance but, doesnt this defeat the purpose of having yubikey in the first place?
Hi, I am using the YUBIKEY for a while now with this setup and I think it is really awesome. Now I installed it on a ThinkPad (i7-1290P, 32GB…Gen3). Interestingly when I am pulling the key out the system it freezes, closes down and reboots. It only does this with the ThinkPad on my XPS I can keep on working. Does anyone know what triggers the reboot and what can one do to prevent that?
Hello Rene,
I am running Qubes 4.2.4 R2 and I tried to follow your guide. I got stuck at the step to add the ykluks key to keyslot1 in the dom0 terminal window:
sudo cryptsetup luksAddKey --key-slot 1 /dev/nvme0n1p3
In my case, I am setting this up on a desktop, so the path is actually /dev/sda3 not /dev/nvme0n1p3, so my command to set the password was as follows:
sudo cryptsetup luksAddKey --key-slot 1 /dev/sda3
I made sure I got the correct value from:
sudo ./ykchalresp -2 <YOURPASSWORD>
Of course, substituting my bootup password in, and attempted to enter the response value when prompted.
Unfortunately, I get an error message stating “No key available with this passphrase.”, and I am unable to continue. Instead of setting the password, the system appears to be attempting to validate the password.
I confirmed that my path should be /dev/sda3 via running lsblk and looking at the path tree - /dev/sda branches down to:
/dev/sda1 which maps to /boot/efi
/dev/sda2 which maps to /boot
/dev/sda3 which maps to my crypto_LUKS partition
I also used the following command to confirm:
sudo lsblk /dev/sda -o NAME,KNAME,FSTYPE,TYPE,MOUNTPOINT,SIZE
/dev/sda3 definitely contains crypt_LUKS.
Your efforts to help me set the password will be much appreciated.
Thank you!
I’ve not seen that error before.
You can use cryptsetup luksDump /dev/sda3 to check if both slot 0 and 1 is used.
If you have installed the key, maybe you didn’t enter it correctly?
Hi Rene,
Thank you for your response. I had executed the cryptSetup luksDump /dev/sda3 command before trying to add the key, and confirmed that only slot 0 is being used.
My only thought is that since I use special characters in my bootup password, I need to escape it. Initially I enclosed the entire password in double-quotes when executing:
sudo ./ykchalresp -2 <YOURPASSWORD>
So it was something like this:
sudo ./ykchalresp -2 "<YOURPASSWORD>"
I think maybe I need to escape the password by enclosing it in single quotes - perhaps that’s why it failed?
I’ll try again and let you know what happens.
Thank you!
1 Like
This is a better script for LUKS Yubikey
Has anyone tested with Qubes?
I will add to this that, if you don’t require touch for Yubikey challenge response, you may lower the security significantly if your password is weak.
Someone with the machine and Yubikey can brute force the disk. Touch is necessary to prevent that.
You should lock down the Yubikey with various pins, and keep Yubikey pins and challenge response key secret.
Hello Rene,
I tried again by escaping my root password using single quotes and got the same error.
To eliminate the possibility of the issue being caused by the special characters in my password, I changed it to using only a short sequence of lower-case letters. That did not fix the problem - I got the same error message.
I experimented a bit by entering my changed LUKS password first and found that it prompted me for the new password. For that, I entered the value from ykchalresp, and it asked me to confirm the value so I entered it again.
The next step got me stuck again - I went into the /etc/default/grub file and did change the rd.luks.uuid line to rd.ykluks.uuid.
There was no rd.qubes.hide_all_usb in that file, so I wasn’t able to change it. Can you tell me why?
I rebooted and it asked me to insert the YubiKey, but neither my simple bootup LUKS password or the challenge response worked, so now I cannot boot.
I will have to reinstall Qubes, but I am now stuck with no apparent steps with which to move toward a solution. Please advise what changes or steps I should make next.
Thank you in advance for your help.