Vincent43

You have to tell the script which container you want to open, /dev/sda3 is example default. Use `yubikey-luks-open -h` to see what options are available.

I think systemd is relevant only for optional suspend script. If you get rid of [this part](https://github.com/cornelinux/yubikey-luks/blob/master/debian/rules#L9) then it should work. Please try.

Dependencies are declared in deb [control](https://github.com/cornelinux/yubikey-luks/blob/master/debian/control) file.

Both build-deps and package deps are listed there including some of those you listed above.

There are existing tools for using YubiKey as a smartcard with stored gpg key which can be protected by PIN: https://github.com/fuhry/initramfs-scencrypt. Anyway, YubiKey secret is protected by your password and...

Oh, I didn't grasp that you mean _torture_ as literal not just _brute-forcing password_ (I'm not sure if not revealing password/PIN is the best outcome in that case :smile:) I...

> It is NOT possible to read the private key back from the slot anyhow (even with the PIN). Assuming you fully trust YubiKey closed source firmware/hardware :smile:. > If...

> It's like 2-phase authentication. It combines something you have with something you know. If one of those fails, there is still the second one. So, at least you can't...

I think that you overestimate rotating password utility and the whole "One Time Password" concept with LUKS. Keep in mind that LUKS passphrase is used only for decrypting real key...

Well, if you setup 2FA and attacker get all of them your are owned no matter what. I'm not sure if I understand you correctly but as you said password...