Hi, is it possible to use the yubikey as mfa for full disk encryption (LUKS), so the computer cant be booted without the yubikey
Yes, it can be done using the tool ykluks found here: GitHub - the2nd/ykluks: Dracut module to use yubikey in challenge/response mode to unlock LUKS partition.
I have used it and it works great on Qubes 4.1
1 Like
Thank you!
Did someone also try following one or have experience with it?
fyi - Its also possible to plug the Yubico into the PAM authentication daemon so that no login’s, screen unlocks, or su’s can be done without the Yubikey inserted. In many cases where the machine is to be left unattended after booting this is an added protection. It just depends on your threat model as to whether this is a useful addition to your boot protection.
Before I retired I used a retractable lanyard while I was at my desk, and I obviously needed to unplug it if I left my desk for any reason. This added yet another layer of protection against intrusion and any attempt at privilege escalation while I was away from my desk was logged by PAM, and I had it configured to be reported to me as soon as I logged back in. Any tampering while I was away was obvious.
https://developers.yubico.com/yubico-pam/
1 Like
Thank you, that helps very much, nice addition.