Re: Yubikey and LUKS on testing (Buster)
- Date: Wed, 20 Feb 2019 14:19:09 -0000 (UTC)
- From: Curt <curty@xxxxxxx>
- Subject: Re: Yubikey and LUKS on testing (Buster)
On 2019-02-20, Georgios Pediaditis <gped@xxxxxxxxxxx> wrote:
>> As far as it accepting the non-yubikey password, remember that a LUKS
>> container has multiple key slots (8 or 24, I do not recall precisely at
>> the moment). Accessing a LUKS container only requires that a single key
>> be unlocked, so any available password is sufficient to gain access.
>> Once you have the yubikey-based password working, you will need to
>> remove the other key slot if you no longer want that password to unlock
>> the container.
> Thanks for your reply.
> I know that it has multiple slots. For the time being that's the only
> reason i can open my laptop :-p
> It must be challenge response and not static password since i already
> use the yubikey slot 1 and i need to use yubikey slot 2 with challenge
> response on other services.
> Thanks again for your help
As you omitted the part about appending
'keyscript=/usr/share/yubikey-luks/ykluks-keyscript' to your
/etc/crypttab file and subsequently running 'update-initramfs -u' in
your description of your procedure, I'm wondering whether you
inadvertently skipped that step.