New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate 2FA/YubiKey into LUKS #2712

Open
rugk opened this Issue Mar 18, 2017 · 3 comments

Comments

Projects
None yet
4 participants
@rugk

rugk commented Mar 18, 2017

It would be nice if you could integrate the 2FA/YubiKey into luks.

See these instructions and this site e.g.

@rugk rugk changed the title from Integrate 2FA/YubiKey to Integrate 2FA/YubiKey into LUKS Mar 18, 2017

@andrewdavidwong andrewdavidwong added this to the Far in the future milestone Mar 18, 2017

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
Member

andrewdavidwong commented Mar 18, 2017

Related: #1979

@Joeviocoe

This comment has been minimized.

Show comment
Hide comment
@Joeviocoe

Joeviocoe Sep 10, 2017

Qubes doesn't just run on Laptops. Think about Desktops. They require USB Keyboards since most modern desktop systems don't have PS/2. And since they require USB Keyboards to enter the LUKS Passphrase, that means the "rd.qubes.hide_all_usb" option in the bootloader will render the whole system inaccessible. So USB security at boot time is not an option, therefore, not a tradeoff with 2FA for LUKS.

2FA means that I don't have to weaken my passphrase so its memorable. And if snooped by some Evil Maid attack methods, they'll need to pull the token from my cold dead hands too. AEM for Qubes only works with USB storage, not Yubikey Challenge/Response, and still requires a TPM which desktops don't often have.

I am hoping someone will finish this idea and make it available, especially for desktop users with yubikey.
Unfortunately, I don't have much knowledge on initramfs or dracut to produce something usable myself. I have searched all over, and only find the same abandoned ideas, or directions to using Yubikey for something other than LUKS, or on a Debian based system.

Please help.
Thank you.

Qubes doesn't just run on Laptops. Think about Desktops. They require USB Keyboards since most modern desktop systems don't have PS/2. And since they require USB Keyboards to enter the LUKS Passphrase, that means the "rd.qubes.hide_all_usb" option in the bootloader will render the whole system inaccessible. So USB security at boot time is not an option, therefore, not a tradeoff with 2FA for LUKS.

2FA means that I don't have to weaken my passphrase so its memorable. And if snooped by some Evil Maid attack methods, they'll need to pull the token from my cold dead hands too. AEM for Qubes only works with USB storage, not Yubikey Challenge/Response, and still requires a TPM which desktops don't often have.

I am hoping someone will finish this idea and make it available, especially for desktop users with yubikey.
Unfortunately, I don't have much knowledge on initramfs or dracut to produce something usable myself. I have searched all over, and only find the same abandoned ideas, or directions to using Yubikey for something other than LUKS, or on a Debian based system.

Please help.
Thank you.

andrewdavidwong added a commit that referenced this issue Sep 29, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment