Mailinglist Archive: opensuse-support (220 mails)

< Previous Next >
Re: [opensuse-support] 2FA for crypted disk
Hi,

Am 22.01.19 um 08:45 schrieb Adam Mizerski:
1) There was a similar thread, you might find interesting:
https://lists.opensuse.org/archive/opensuse/2018-12/msg00127.html

thanks for the pointer. I missed that.

2) Show a link to the howto you found.

https://github.com/cornelinux/yubikey-luks
https://www.golem.de/news/systemverschluesselung-yubikeys-zwei-faktor-authentifizierung-unter-linux-nutzen-1507-115155-2.html
(german, pretty much a translation from teh github README)

3) LUKS has 8 slots for various keys to unlock the partition. You can
set up 3 passwords and 2 keyfiles and you need at least one to unlock
(https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Key_management).
This should keep you safe from loosing access to your data.

That around the lines I found already. But for me this stops pretty
immediately when trying to check prerequisites.

# cryptsetup status /dev/mapper/cr_home
/dev/mapper/cr_home is active and is in use.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
key location: dm-crypt
device: /dev/nvme0n1p7
sector size: 512
offset: 4096 sectors
size: 888360960 sectors
mode: read/write

but
# cryptsetup luksDump /dev/mapper/cr_home
Device /dev/mapper/cr_home is not a valid LUKS device.

So I'm not even sure I can continue to add keys.

The encrypted FS is what YaST created when I installed Tumbleweed
roughly a year ago.
Is it usable at all?

Seems I need a virtual playground first before trying to fiddle with my
real hardware and break something.


Wolfgang

W dniu 21.01.2019 o 23:26, Wolfgang Rosenauer pisze:

as I understand from searching around it should be possible to do something
like
2FA for crypto devices (LUKS). Or at least some challenge response.

I've got a Yubikey and I found an Ubuntu howto. Because this is a bit of a
risky
implementation when my crypted home partition is not accessible anymore I'm a
bit hesitant to experiment like I do typically.

Therefore: Does anyone have a pointer to an HOWTO which works for openSUSE
Tumbleweed?


Thanks,
Wolfgang



< Previous Next >