yubikey-full-disk-encryption icon indicating copy to clipboard operation
yubikey-full-disk-encryption copied to clipboard

Published 20 hours ago verified publisher icon agherzan

No key available with this passphrase However I enter the correct old passphrase

Open ibahnasy opened this issue 7 months ago • 5 comments
trafficstars 

# ykfde-enroll -d /dev/nvme0n1p3 -s 0 -o
INFO: Setting device to '/dev/nvme0n1p3'.
INFO: Setting LUKS keyslot to '0'.
INFO: Using old YubiKey for passphrase
WARNING: This script will utilize LUKS keyslot '0' on device '/dev/nvme0n1p3'.  If this is not what you intended, please abort.
 > Please provide the challenge.
   Enter challenge: 
 > Please repeat the challenge.
   Enter challenge: 
   Remember to touch the device if necessary.
Please insert old YubiKey for existing keyslot.
 > Please provide the old challenge.
   Enter challenge: 
 > Please repeat the old challenge.
   Enter challenge: 
   Remember to touch the old device if necessary.
 > Adding new LUKS passphrase with 'cryptsetup'...
WARNING: The --key-slot parameter is used for new keyslot number.
No key available with this passphrase.

ibahnasy avatar Apr 06 '25 17:04 ibahnasy

can you confirm that testing with ykfde-open -d /dev/nvme0n1p3 -s 0 -t and providing old challenge works?

You may also add -v option to see what secrets are passed (don't paste here the output without removing the secrets): ykfde-enroll -d /dev/nvme0n1p3 -s 0 -o -v ykfde-open -d /dev/nvme0n1p3 -s 0 -t

Vincent43 avatar Apr 07 '25 11:04 Vincent43 

# ykfde-open -d /dev/nvme0n1p3 -s 1 -t -n encrypted -v
INFO: Setting device to '/dev/nvme0n1p3'.
INFO: Setting LUKS keyslot to '1'.
INFO: Testing LUKS passphrase
INFO: Setting name to 'encrypted'.
INFO: Debugging enabled
 > YubiKey slot status 'ykinfo -q -2': 1
WARNING: This script will try to open the 'encrypted' LUKS encrypted volume on drive '/dev/nvme0n1p3' . If this is not what you intended, please abort.
 > Please provide the challenge.
   Enter challenge: 
   Running: 'ykchalresp -2 070ecfba08459857762cefcc68e42071649aeca6691b1c05fb52f8912c137595'...
   Remember to touch the device if necessary.
   Received response: '97cdf4daf1d79318a5525b04c9bac44fd0bacb92'
 > Passing '070ecfba08459857762cefcc68e42071649aeca6691b1c05fb52f8912c13759597cdf4daf1d79318a5525b04c9bac44fd0bacb92' to 'cryptsetup'
 > Decrypting with 'cryptsetup luksOpen --test-passphrase /dev/nvme0n1p3 --key-slot=1 '...
No key available with this passphrase.

Testing with v

# ykfde-enroll -d /dev/nvme0n1p3 -s 0 -o -v
INFO: Setting device to '/dev/nvme0n1p3'.
INFO: Setting LUKS keyslot to '0'.
INFO: Using old YubiKey for passphrase
INFO: Debugging enabled
 > YubiKey slot status 'ykinfo -q -2': 1
WARNING: This script will utilize LUKS keyslot '0' on device '/dev/nvme0n1p3'.  If this is not what you intended, please abort.
 > Please provide the challenge.
   Enter challenge: 

 > Please repeat the challenge.
   Enter challenge: Unlockmypc
   Running: 'ykchalresp -2 ....'...
   Remember to touch the device if necessary.
   Received response: ''
Please insert old YubiKey for existing keyslot.
 > Please provide the old challenge.
   Enter challenge: Hello, this is my data please unlock it..

 > Please repeat the old challenge.
   Enter challenge: 
   Running: 'ykchalresp -2 ....'...
   Remember to touch the old device if necessary.
   Received response: ''
 > Passing '.........' to 'cryptsetup'
 > Adding new LUKS passphrase with 'cryptsetup --key-slot=0 luksAddKey /dev/nvme0n1p3'...
WARNING: The --key-slot parameter is used for new keyslot number.
No key available with this passphrase.

And I can decrypt it using the same passphrase during boot.

ibahnasy avatar Apr 07 '25 13:04 ibahnasy

Are you choosing the correct slot number? The only explanation I see is it may not be the same passphrase you're passing during both though. There may be quirks like different keyboard layout.

In order to double check you may enable debug mode in boot by uncommenting DBG="1" in /etc/ykfde.conf then rebuild initramfs with sudo mkinitcpio -P and reboot.

Then observe the printed secrets are identical to the one you see from ykfde-open invocation:

Enter challenge: 
Running: 'ykchalresp -2 070ecfba08459857762cefcc68e42071649aeca6691b1c05fb52f8912c137595'...
Remember to touch the device if necessary.
Received response: '97cdf4daf1d79318a5525b04c9bac44fd0bacb92'
> Passing '070ecfba08459857762cefcc68e42071649aeca6691b1c05fb52f8912c13759597cdf4daf1d79318a5525b04c9bac44fd0bacb92' to 'cryptsetup'

Vincent43 avatar Apr 07 '25 17:04 Vincent43

I enabled debugging as mentioned and use update-initramfs -u but it didn't show any secrets during boot.

ibahnasy avatar Apr 11 '25 11:04 ibahnasy

Are you using Arch Linux? update-initramfs is debian/ubuntu specific command while this project supports only Arch, specifically the boot script part.

Vincent43 avatar Apr 12 '25 00:04 Vincent43