yubikey-full-disk-encryption icon indicating copy to clipboard operation
yubikey-full-disk-encryption copied to clipboard

Published 20 hours ago verified publisher icon agherzan

Make 2FA the default mode in initramfs so default config works

Open deisi opened this issue 5 years ago • 4 comments

Hey I followed the installation instructions as close as possible, but I think I cant get the ykfde hook to work on boot. As far as I can see, the enroll step worked. ykfde-open check returned success.

I configured the /etc/mkinitcpio.conf accordingly and the hooks line reads: HOOKS=(base udev plymouth autodetect keyboard keymap consolefont modconf block ykfde plymouth-encrypt lvm2 filesystems fsck) obviously I use plymouth. However I think https://github.com/agherzan/yubikey-full-disk-encryption/issues/19 is implemented and available in the arch linux community package.

I use btrfs on luks for my root partition and grub as boot manager. My grub setup uses cryptdevice to find the root partition:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:root"

When I try to decrypt my setup with the yubikey, to me it looks like, the ykfde hook is not working correctly, as when I add the passphrase for the challenge, the key is not flashing and thus it cant be used to generate the challenge response. Any suggestions how to debug this?

deisi avatar Jan 25 '20 21:01 deisi

Okay, got it. Its a duplicate of https://github.com/agherzan/yubikey-full-disk-encryption/issues/50 As I'm not the first one falling for this. Maybe its a good idea to make the 2fa mode the default. Its kind of hinted in this way by the instructions anyways. And by defining anything other then #YKFDE_CHALLENGE="" empty, would automatically remove the YKFDE_CHALLENGE_PASSWORD_NEEDED="1"

They way the config works right now is very uncommon. Currently there is no working default. Thus I think People will keep falling for this.

deisi avatar Jan 26 '20 08:01 deisi

Hi, I agree this situation isn't perfect but see my comment from mentioned thread:

You have to choose which mode you want to use in /etc/ykfde.conf in order to use initramfs hook. ykfde-open script automatically falls back to Manual mode with secret challenge (2FA) if nothing was set in config but initramfs hook doesn't because we want to support case where user didn't setup any ykfde passphrase at all

When someone enabled initramfs hook but forgot enrolling password then they may be locked-out of system if we didn't provide fallback. There should be no such risk on running system and that's why ykfde- scripts automatically assume that user want to use ykfde password. If we use ykfde by default in intramfs without changing config then we have to figure out how and when use fallback.

Vincent43 avatar Jan 26 '20 13:01 Vincent43

Could one distinguish between an empty string and no string at all for the `YKFDE_CHALLENGE? Or maybe have something like "DEFAULT" as string and then say that this means, 2FA is used?

deisi avatar Jan 26 '20 17:01 deisi

I didn't mean fallback to 1FA mode, I meant fallback to using normal (not yubikey related) password for unlocking disk like with encrypt hook.

Vincent43 avatar Jan 26 '20 22:01 Vincent43