mkinitcpio-ykfde
mkinitcpio-ykfde copied to clipboard
feat: commandline calculate key
What
Add a flag to the ykdfe
executable that prints the resulting luks keyslot passphrase instead of sending it to decrypt the drive.
In other words, instead of calculating the luks keyslot and sending it to unlock the drive, this flag lets a user, on a booted system, to generate the valid luks key with their yubikey, without manually going through the steps below, and without also rolling the challenge salt.
Why
Manually changing the luks setup with this program is currently undocumented. The challenge has to be manually read from ykdfe's files, then up to the first SHA1_MAX_BLOCK_SIZE
/ 2 bits of the 2fa password has to be manually written over the beginning of that challenge , then the whole thing is fed into ykchalresp
, and only then is there an output that can be used by cryptsetup luksOpen
or similar. That is a clearly unpleasant process to do manually.
This is not intended to be used that way. Just keep another key slot around with a human-friendly (but still strong!) password.