Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: commandline calculate key #40

Open
exincore opened this issue Aug 11, 2022 · 1 comment
Open

feat: commandline calculate key #40

exincore opened this issue Aug 11, 2022 · 1 comment

Comments

@exincore
Copy link

What

Add a flag to the ykdfe executable that prints the resulting luks keyslot passphrase instead of sending it to decrypt the drive.

In other words, instead of calculating the luks keyslot and sending it to unlock the drive, this flag lets a user, on a booted system, to generate the valid luks key with their yubikey, without manually going through the steps below, and without also rolling the challenge salt.

Why

Manually changing the luks setup with this program is currently undocumented. The challenge has to be manually read from ykdfe's files, then up to the first SHA1_MAX_BLOCK_SIZE / 2 bits of the 2fa password has to be manually written over the beginning of that challenge , then the whole thing is fed into ykchalresp, and only then is there an output that can be used by cryptsetup luksOpen or similar. That is a clearly unpleasant process to do manually.
@eworm-de
Copy link
Owner

This is not intended to be used that way. Just keep another key slot around with a human-friendly (but still strong!) password.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eworm-de @exincore