Hi, Am 22.01.19 um 08:45 schrieb Adam Mizerski:

1) There was a similar thread, you might find interesting: https://lists.opensuse.org/archive/opensuse/2018-12/msg00127.html

thanks for the pointer. I missed that.

2) Show a link to the howto you found.

https://github.com/cornelinux/yubikey-luks https://www.golem.de/news/systemverschluesselung-yubikeys-zwei-faktor-authen... (german, pretty much a translation from teh github README)

3) LUKS has 8 slots for various keys to unlock the partition. You can set up 3 passwords and 2 keyfiles and you need at least one to unlock (https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Key_manageme...). This should keep you safe from loosing access to your data.

That around the lines I found already. But for me this stops pretty immediately when trying to check prerequisites. # cryptsetup status /dev/mapper/cr_home /dev/mapper/cr_home is active and is in use. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits key location: dm-crypt device: /dev/nvme0n1p7 sector size: 512 offset: 4096 sectors size: 888360960 sectors mode: read/write but # cryptsetup luksDump /dev/mapper/cr_home Device /dev/mapper/cr_home is not a valid LUKS device. So I'm not even sure I can continue to add keys. The encrypted FS is what YaST created when I installed Tumbleweed roughly a year ago. Is it usable at all? Seems I need a virtual playground first before trying to fiddle with my real hardware and break something. Wolfgang

W dniu 21.01.2019 o 23:26, Wolfgang Rosenauer pisze:

...

as I understand from searching around it should be possible to do something like 2FA for crypto devices (LUKS). Or at least some challenge response.

I've got a Yubikey and I found an Ubuntu howto. Because this is a bit of a risky implementation when my crypted home partition is not accessible anymore I'm a bit hesitant to experiment like I do typically.

Therefore: Does anyone have a pointer to an HOWTO which works for openSUSE Tumbleweed?

Thanks, Wolfgang

On Tue, Jan 22, 2019 at 11:07 AM Wolfgang Rosenauer wrote:

...

2) Show a link to the howto you found.

https://github.com/cornelinux/yubikey-luks

It relies on support for keyscript in /etc/crypttab, keyscript is unsupported by systemd, openSUSE is using systemd so it will not work. You will need to implement something to configure your device outside of standard framework. -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org

On Tue, 22 Jan 2019 10:01:30 +0100 Wolfgang Rosenauer wrote:

Am 22.01.19 um 09:55 schrieb Andrei Borzenkov:

...

On Tue, Jan 22, 2019 at 11:07 AM Wolfgang Rosenauer wrote:

...

...

2) Show a link to the howto you found.

https://github.com/cornelinux/yubikey-luks

It relies on support for keyscript in /etc/crypttab, keyscript is unsupported by systemd, openSUSE is using systemd so it will not work. You will need to implement something to configure your device outside of standard framework.

hmm, does not sound promising. I didn't expect to touch undiscovered country trying to use a Yubikey to unlock a crypto partition on openSUSE :-( I cannot be the first one?

Wolfgang

This doesn't answer your question, but might have some useful hints. https://forum.yubico.com/viewtopic2f91.html?f=23&t=1143&p=4295&hilit=linux+login+logon#p4295 It's instructions on using a Yubikey + password for logging in rather than unlocking encrypted partitions. Read the whole post, especially the screenshots by yubidoobydoo at the end. On openSUSE you need to install pam_yubico rather than libpam-yubico. -- Bob

On 22/01/2019 09.07, Wolfgang Rosenauer wrote:

Hi,

That around the lines I found already. But for me this stops pretty immediately when trying to check prerequisites.

# cryptsetup status /dev/mapper/cr_home /dev/mapper/cr_home is active and is in use. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits key location: dm-crypt device: /dev/nvme0n1p7 sector size: 512 offset: 4096 sectors size: 888360960 sectors mode: read/write

but # cryptsetup luksDump /dev/mapper/cr_home Device /dev/mapper/cr_home is not a valid LUKS device.

So I'm not even sure I can continue to add keys.

I think that command runs on the raw device, not the encrypted one. Try: cryptsetup luksDump /dev/nvme0n1p7 -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)