yubikey-full-disk-encryption
yubikey-full-disk-encryption copied to clipboard
agherzan
Multiple Yubikey support
Thank you for your nice work! This script may run into error when multiple Yubikeys are connected. A way to resolve this could be to bind the serial of Yubikey in config.
I don't see the option to call Yubikey by serial in ykchalresp docs. Also the keys order appears to be random. If that's true then this may be not doable.
Hi @Vincent43 , thanks for this quick reply.
Considering it's very rare to have plenty of Yubikey connected, I've figured out a way to traverse and compare serial.
BTW, even if the key order number is not random, setting a fixed one won't make sense as I may have different sets of keys connected on startup.
The following code is from my local initramfs hook script, which is working seamlessly like a transparent BitLocker on Linux.
YKFDE_KEY_SERIAL='12345678'
run_hook() {
local dev_no='-1'
local key_present=''
local _tmp
# other code...
while [ -z "$key_present" ]; do
dev_no=$((dev_no + 1))
_tmp="$(ykinfo -sqn"$dev_no" 2>&1)" || break
[ "$_tmp" == "$YKFDE_KEY_SERIAL" ] && key_present=1
done
# other code...
_ykfde_response="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -n"$dev_no" -"$YKFDE_CHALLENGE_SLOT" -i-)"
# other code...
}