Web lists-archives.com

Re: Yubikey and LUKS on testing (Buster)




On 2019-02-20, Georgios Pediaditis <gped@xxxxxxxxxxx> wrote:
>
>> As far as it accepting the non-yubikey password, remember that a LUKS
>> container has multiple key slots (8 or 24, I do not recall precisely at
>> the moment).  Accessing a LUKS container only requires that a single key
>> be unlocked, so any available password is sufficient to gain access.
>> Once you have the yubikey-based password working, you will need to
>> remove the other key slot if you no longer want that password to unlock
>> the container.
>
> Thanks for your reply.
>
> I know that it has multiple slots. For the time being that's the only
> reason i can open my laptop :-p
>
> It must be challenge response and not static password since i already
> use the yubikey slot 1 and i need to use yubikey slot 2 with challenge
> response on other services.
>
> Thanks again for your help
>
>

As you omitted the part about appending
'keyscript=/usr/share/yubikey-luks/ykluks-keyscript' to your
/etc/crypttab file and subsequently running 'update-initramfs -u' in
your description of your procedure, I'm wondering whether you
inadvertently skipped that step.

https://github.com/cornelinux/yubikey-luks