1FA with YubiKey OR password

[sagikazarmark]

I know it's probably not a traditional setup, but I'm wondering if I can use YubiKey or password for 1FA. If YubiKey is not present, I would enter my password. Otherwise, YubiKey would open the luks partition.

Is it possible?

Thanks in advance!

[sgillespie]

Sorry, I know it's been forever. This is definitely possible. Normally, NixOS will wait for a specified timeout for the Yubikey, and then fallback to manual entry.

What you'll want to do is set up the Yubikey for PBA, as mentioned in this guide. Then add another key with luksAddKey, and you should be good to go.

[Deep-Six]

@sgillespie can you add a passphrase after this has been setup, similar to my other comment, luksAddKey requests "Enter any existing passphrase:" which seems to be a challenge when you used this initial setup.

[sgillespie]

Yes I believe this is possible. You'll need to calculate the existing passphrase, though. I created a script to open the device here: https://github.com/sgillespie/nixos-yubikey-luks/blob/master/yk-luks-open.sh. I think you can modify the last line to print the key, rather than opening the device.

[Deep-Six]

@sgillespie thanks I found this in the official NixOS documentation, this worked for me :)

 # Be sure to delete luks.key afterwards
KEY_LENGTH=512
ITERATIONS=1000000
read -s k_user
challenge=$(head -n1 /boot/crypt-storage/default | tr -d '\n' | openssl dgst -binary -sha512 | rbtohex)
response="$(ykchalresp -2 -x $challenge 2>/dev/null)"
echo -n $k_user | pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $response > luks.key
# Now, you can pass the luks.key to any cryptsetup command. For instance,
# if you want to add another key to your setup.
cryptsetup luksAddKey /dev/nvme0n1p2 luks.key
rm luks.key