[opensuse-support] 2FA for crypted disk
Hi, as I understand from searching around it should be possible to do something like 2FA for crypto devices (LUKS). Or at least some challenge response. I've got a Yubikey and I found an Ubuntu howto. Because this is a bit of a risky implementation when my crypted home partition is not accessible anymore I'm a bit hesitant to experiment like I do typically. Therefore: Does anyone have a pointer to an HOWTO which works for openSUSE Tumbleweed? Thanks, Wolfgang -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
1) There was a similar thread, you might find interesting: https://lists.opensuse.org/archive/opensuse/2018-12/msg00127.html 2) Show a link to the howto you found. 3) LUKS has 8 slots for various keys to unlock the partition. You can set up 3 passwords and 2 keyfiles and you need at least one to unlock (https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Key_manageme...). This should keep you safe from loosing access to your data. Adam Mizerski W dniu 21.01.2019 o 23:26, Wolfgang Rosenauer pisze:
Hi,
as I understand from searching around it should be possible to do something like 2FA for crypto devices (LUKS). Or at least some challenge response.
I've got a Yubikey and I found an Ubuntu howto. Because this is a bit of a risky implementation when my crypted home partition is not accessible anymore I'm a bit hesitant to experiment like I do typically.
Therefore: Does anyone have a pointer to an HOWTO which works for openSUSE Tumbleweed?
Thanks, Wolfgang
Hi, Am 22.01.19 um 08:45 schrieb Adam Mizerski:
1) There was a similar thread, you might find interesting: https://lists.opensuse.org/archive/opensuse/2018-12/msg00127.html
thanks for the pointer. I missed that.
2) Show a link to the howto you found.
https://github.com/cornelinux/yubikey-luks https://www.golem.de/news/systemverschluesselung-yubikeys-zwei-faktor-authen... (german, pretty much a translation from teh github README)
3) LUKS has 8 slots for various keys to unlock the partition. You can set up 3 passwords and 2 keyfiles and you need at least one to unlock (https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Key_manageme...). This should keep you safe from loosing access to your data.
That around the lines I found already. But for me this stops pretty immediately when trying to check prerequisites. # cryptsetup status /dev/mapper/cr_home /dev/mapper/cr_home is active and is in use. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits key location: dm-crypt device: /dev/nvme0n1p7 sector size: 512 offset: 4096 sectors size: 888360960 sectors mode: read/write but # cryptsetup luksDump /dev/mapper/cr_home Device /dev/mapper/cr_home is not a valid LUKS device. So I'm not even sure I can continue to add keys. The encrypted FS is what YaST created when I installed Tumbleweed roughly a year ago. Is it usable at all? Seems I need a virtual playground first before trying to fiddle with my real hardware and break something. Wolfgang
W dniu 21.01.2019 o 23:26, Wolfgang Rosenauer pisze:
as I understand from searching around it should be possible to do something like 2FA for crypto devices (LUKS). Or at least some challenge response.
I've got a Yubikey and I found an Ubuntu howto. Because this is a bit of a risky implementation when my crypted home partition is not accessible anymore I'm a bit hesitant to experiment like I do typically.
Therefore: Does anyone have a pointer to an HOWTO which works for openSUSE Tumbleweed?
Thanks, Wolfgang
W dniu 22.01.2019 o 09:07, Wolfgang Rosenauer pisze:
Hi,
Am 22.01.19 um 08:45 schrieb Adam Mizerski:
1) There was a similar thread, you might find interesting: https://lists.opensuse.org/archive/opensuse/2018-12/msg00127.html
thanks for the pointer. I missed that.
2) Show a link to the howto you found.
https://github.com/cornelinux/yubikey-luks https://www.golem.de/news/systemverschluesselung-yubikeys-zwei-faktor-authen... (german, pretty much a translation from teh github README)
This looks quite good (it uses yubikey to mangle given password). The problem I see it that openSUSE uses mkinitrd/dracut to create initrd, which works differently than debian/ubuntu. Somebody with experience in this field should hop in here.
3) LUKS has 8 slots for various keys to unlock the partition. You can set up 3 passwords and 2 keyfiles and you need at least one to unlock (https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Key_manageme...). This should keep you safe from loosing access to your data.
That around the lines I found already. But for me this stops pretty immediately when trying to check prerequisites.
# cryptsetup status /dev/mapper/cr_home /dev/mapper/cr_home is active and is in use. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits key location: dm-crypt device: /dev/nvme0n1p7 sector size: 512 offset: 4096 sectors size: 888360960 sectors mode: read/write
but # cryptsetup luksDump /dev/mapper/cr_home Device /dev/mapper/cr_home is not a valid LUKS device.
So I'm not even sure I can continue to add keys.
The encrypted FS is what YaST created when I installed Tumbleweed roughly a year ago. Is it usable at all?
Try: cryptsetup luksDump /dev/nvme0n1p7
Seems I need a virtual playground first before trying to fiddle with my real hardware and break something.
Oh yes. Playing virtual machines is always fun! You can make snapshots and rollback if something breaks.
Wolfgang
W dniu 21.01.2019 o 23:26, Wolfgang Rosenauer pisze:
as I understand from searching around it should be possible to do something like 2FA for crypto devices (LUKS). Or at least some challenge response.
I've got a Yubikey and I found an Ubuntu howto. Because this is a bit of a risky implementation when my crypted home partition is not accessible anymore I'm a bit hesitant to experiment like I do typically.
Therefore: Does anyone have a pointer to an HOWTO which works for openSUSE Tumbleweed?
Thanks, Wolfgang
On Tue, Jan 22, 2019 at 11:07 AM Wolfgang Rosenauer
2) Show a link to the howto you found.
It relies on support for keyscript in /etc/crypttab, keyscript is unsupported by systemd, openSUSE is using systemd so it will not work. You will need to implement something to configure your device outside of standard framework. -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
Am 22.01.19 um 09:55 schrieb Andrei Borzenkov:
On Tue, Jan 22, 2019 at 11:07 AM Wolfgang Rosenauer
wrote: 2) Show a link to the howto you found.
It relies on support for keyscript in /etc/crypttab, keyscript is unsupported by systemd, openSUSE is using systemd so it will not work. You will need to implement something to configure your device outside of standard framework.
hmm, does not sound promising. I didn't expect to touch undiscovered country trying to use a Yubikey to unlock a crypto partition on openSUSE :-( I cannot be the first one? Wolfgang
On Tue, 22 Jan 2019 10:01:30 +0100
Wolfgang Rosenauer
Am 22.01.19 um 09:55 schrieb Andrei Borzenkov:
On Tue, Jan 22, 2019 at 11:07 AM Wolfgang Rosenauer
wrote: 2) Show a link to the howto you found.
It relies on support for keyscript in /etc/crypttab, keyscript is unsupported by systemd, openSUSE is using systemd so it will not work. You will need to implement something to configure your device outside of standard framework.
hmm, does not sound promising. I didn't expect to touch undiscovered country trying to use a Yubikey to unlock a crypto partition on openSUSE :-( I cannot be the first one?
Wolfgang
This doesn't answer your question, but might have some useful hints. https://forum.yubico.com/viewtopic2f91.html?f=23&t=1143&p=4295&hilit=linux+login+logon#p4295 It's instructions on using a Yubikey + password for logging in rather than unlocking encrypted partitions. Read the whole post, especially the screenshots by yubidoobydoo at the end. On openSUSE you need to install pam_yubico rather than libpam-yubico. -- Bob
Am 22.01.19 um 20:45 schrieb Bob Williams:
On Tue, 22 Jan 2019 10:01:30 +0100 Wolfgang Rosenauer
wrote: This doesn't answer your question, but might have some useful hints.
https://forum.yubico.com/viewtopic2f91.html?f=23&t=1143&p=4295&hilit=linux+login+logon#p4295
It's instructions on using a Yubikey + password for logging in rather than unlocking encrypted partitions. Read the whole post, especially the screenshots by yubidoobydoo at the end. On openSUSE you need to install pam_yubico rather than libpam-yubico.
that was next on my list to investigate. But for different reasons I'm still more interested in getting my crypto partition secured. Everything I found is based on custom scripts which seem impossible to use in systemd systems according to another post. I almost forgot how superior systemd is *SCNR* Wolfgang
On 22/01/2019 09.07, Wolfgang Rosenauer wrote:
Hi,
That around the lines I found already. But for me this stops pretty immediately when trying to check prerequisites.
# cryptsetup status /dev/mapper/cr_home /dev/mapper/cr_home is active and is in use. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits key location: dm-crypt device: /dev/nvme0n1p7 sector size: 512 offset: 4096 sectors size: 888360960 sectors mode: read/write
but # cryptsetup luksDump /dev/mapper/cr_home Device /dev/mapper/cr_home is not a valid LUKS device.
So I'm not even sure I can continue to add keys.
I think that command runs on the raw device, not the encrypted one. Try: cryptsetup luksDump /dev/nvme0n1p7 -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
participants (5)
-
Adam Mizerski
-
Andrei Borzenkov
-
Bob Williams
-
Carlos E. R.
-
Wolfgang Rosenauer