mkinitcpio-ykfde icon indicating copy to clipboard operation
mkinitcpio-ykfde copied to clipboard

Published 20 hours ago verified publisher icon eworm-de

feat: commandline calculate key

Open exincore opened this issue 1 year ago • 1 comments

What

Add a flag to the ykdfe executable that prints the resulting luks keyslot passphrase instead of sending it to decrypt the drive.

In other words, instead of calculating the luks keyslot and sending it to unlock the drive, this flag lets a user, on a booted system, to generate the valid luks key with their yubikey, without manually going through the steps below, and without also rolling the challenge salt.

Why

Manually changing the luks setup with this program is currently undocumented. The challenge has to be manually read from ykdfe's files, then up to the first SHA1_MAX_BLOCK_SIZE / 2 bits of the 2fa password has to be manually written over the beginning of that challenge , then the whole thing is fed into ykchalresp, and only then is there an output that can be used by cryptsetup luksOpen or similar. That is a clearly unpleasant process to do manually.

exincore avatar Aug 11 '22 20:08 exincore

This is not intended to be used that way. Just keep another key slot around with a human-friendly (but still strong!) password.

eworm-de avatar Aug 11 '22 20:08 eworm-de