In this article, we will guide you through the process of setting up Yubikey as a second factor authentication (2FA) for Ubuntu Full-Disk Encryption (FDE) via LUKS. This guide is designed to provide you with step-by-step instructions and detailed explanations of the necessary commands and parameters.
Yubikey 2FA for Ubuntu FDE is a secure method of adding an extra layer of authentication to your Full-Disk Encryption using LUKS. By programming your Yubikey with HMAC-SHA1 configuration and enrolling it to a LUKS slot, you can enhance the security of your system. However, it’s important to be aware of the security implications and have a backup passphrase in case you lose your Yubikey.
Prerequisites
Before we begin, it’s important to note that this guide assumes you have LUKS full-disk encryption already set up and working on your Ubuntu system. If you haven’t done this yet, you can follow this guide to set it up.
In addition, you should have a strong passphrase for your LUKS encryption. This passphrase will serve as your first factor of authentication, with Yubikey serving as the second.
Installing Necessary Packages
Next, you need to install the necessary packages. If you’re using Ubuntu 14.04, you can add the PrivacyIdea PPA to your system with the following command:
sudo add-apt-repository ppa:privacyidea/privacyideaFor Ubuntu 16.04 and later, you can directly install the yubikey-luks package from the main Ubuntu repository:
sudo apt-get install yubikey-luksInstalling Yubikey Software
Now, you need to install the yubikey-personalization package. For Ubuntu 14.04, you can use the Yubico PPA:
sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install yubikey-personalizationFor Ubuntu 16.04 and later, you can directly install the package from the main Ubuntu repository:
sudo apt-get install yubikey-personalizationInitializing Yubikey Slot for HMAC-SHA1
The next step is to program the second slot of your Yubikey with a HMAC-SHA1 configuration. This can be done using the ykpersonalize command:
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visibleIn this command, -2 specifies the slot number, -ochal-resp enables challenge-response functionality, -ochal-hmac sets the challenge-response mode to HMAC-SHA1, -ohmac-lt64 sets the HMAC-SHA1 output to less than 64 bytes, and -oserial-api-visible makes the Yubikey serial number visible via the API.
Enrolling Yubikey to LUKS Slot
Now, you need to enroll your Yubikey to a LUKS slot. This involves appending the response from the Yubikey to one of the decryption keys in the LUKS configuration file (/etc/crypttab).
To do this, use the yubikey-luks-enroll command:
sudo yubikey-luks-enroll -d /dev/sda3 -s 7In this command, -d /dev/sda3 specifies the device, and -s 7 specifies the slot number.
Changing the Encryption Challenge Passphrase
If you want to change the passphrase at a later date, you can reset the secret key using the ykpersonalize command:
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visibleThen, enroll a new password into the LUKS key slot using the yubikey-luks-enroll command:
sudo yubikey-luks-enroll -d /dev/sda3 -s 7Remember to replace /dev/sda3 and 7 with your actual device and slot number.
Conclusion
Setting up Yubikey as a second factor authentication for Ubuntu Full-Disk Encryption via LUKS enhances the security of your system. However, it’s important to be aware of the security implications and ensure you have a backup passphrase in case you lose your Yubikey.
For more detailed instructions and troubleshooting, you can refer to the Yubikey documentation and the Ubuntu documentation.
Full-Disk Encryption (FDE) is a security measure that encrypts the entire hard drive, including the operating system and all files, to protect sensitive data from unauthorized access.
LUKS (Linux Unified Key Setup) is a disk encryption specification for Linux that provides a standard format for storing encrypted data and key management. It is commonly used for Full-Disk Encryption on Ubuntu.
Using Yubikey as a second factor authentication adds an extra layer of security to your Full-Disk Encryption setup. It ensures that even if someone gains access to your passphrase, they will still need physical possession of your Yubikey to unlock the encrypted disk.
No, this guide assumes that you already have LUKS full-disk encryption set up on your Ubuntu system. If you haven’t done this yet, you can follow the provided link to a guide on how to set it up.
The installation and setup process mentioned in this guide is specific to Ubuntu 14.04 and later versions. It may not work as expected on older versions of Ubuntu.
If you lose your Yubikey, you will not be able to unlock your encrypted disk without it. It is important to have a backup passphrase in case of such situations. You can still use the passphrase as the first factor of authentication to unlock the disk.
Yes, you can change the Yubikey passphrase at a later date. The guide provides instructions on how to reset the secret key and enroll a new password into the LUKS key slot.
For more detailed instructions and troubleshooting, you can refer to the Yubikey documentation and the Ubuntu documentation, which are linked in the article. They provide comprehensive information on the setup process and common issues that may arise.
