Hacker News new | ask | show | jobs
by irusensei 1373 days ago
Quick question about such devices: can I use stuff like Yubikey or similar to luksOpen a crypt device during boot or operation?

Thanks in advance.
2 comments
VTimofeenko 1372 days ago
Yes, there's multiple ways. Systemd offers systemd-cryptenroll that works with FIDO2 and X509 certificates on the hardware key to unlock a drive.

The key is embedded as a luks header into the partition.

The information about the key and the device is passed to initrd through /etc/crypttab for unlocking during boot.

I wrote a couple of posts describing how this can be sort-of-handrolled with nitrokey and gpg key for x509 cert:

https://vtimofeenko.com/posts/unlocking-luks2-with-x509-nitr...

link
vinay_ys 1373 days ago
Do you mean something like this: https://github.com/agherzan/yubikey-full-disk-encryption
link