On Sun, 9 Dec 2018 15:20:40 +0100 Oleksii Vilchanskyi <oleksii.vilchanskyi@gmail.com> wrote:
Re-sending, accidentally replied off-list.
On 12/6/18 10:52 PM, Bob Williams wrote:
Can anyone point me to an idiot's guide to using a Yubikey Neo? For example, I'd like to set it up so that my laptop won't boot unless the key is inserted in a USB slot.
There are multiple solutions for that, after a quick read about Yubikey on Archwiki this [1] entry describes what you want, I believe. The links mentioned there are somewhat Arch-specific, but they reference other sources of information which aren't, going as far as mentioning a LUKS whitepaper [2] and a full-fledged enterprise-like solution [3], so I believe you can figure it out eventually. Certainly not an idiot's guide (because none of them is comprehensive), but at the same time, you need to understand some basics to be able to troubleshoot the setup, if needed.
I personally go with the classic encrypted /boot (so enter the passphrase twice), and then Yubico's PAM [4] to ensure that logging into the user account is not possible without a Yubikey.
Although 2FA boot sounds interesting. Another area of investigation is an integration 2FA pre-boot, with the drives that support FDE [5] (and those new SSDs do).
[1]: <https://wiki.archlinux.org/index.php/YubiKey#YubiKey_and_LUKS_encrypted_partition/disk> [2]: <http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf> [3]: <https://github.com/privacyidea/privacyidea> [4]: <https://developers.yubico.com/yubico-pam/> [5]: <https://www.yubico.com/wp-content/uploads/2012/10/YubiKey-Integration-for-Full-Disk-Encryption-with-Pre-Boot-Authentication-v1.2.pdf>
Hey, thanks Alex. Lots of good material there. -- Bob Williams System: Linux 4.19.2-1.g8adee6e-default Distro: Desktop: KDE Frameworks: 5.45.0, Qt: 5.9.4 and Plasma: 5.12.5