View previous topic :: View next topic |
Author |
Message |
nagmat84 Apprentice
Joined: 27 Mar 2007 Posts: 290
|
Posted: Sun Oct 27, 2024 12:51 pm Post subject: How to wait for Yubikey to be plugged-in indefinitely? |
|
|
I have set up root partition encryption with LUKS, Fido2, Yubikey and Dracut. I have set up the token timeout value in /etc/crypttab to zero, aka infinite. However, this only seems to affect the time to wait until someone touches the presence confirmation on the Yubikey, if the Yubikey already has been plugged in before boot time. The timeout values does not seem to affect the time to wait until the Yubikey becomes available in case it hasn't been plugged in at all.
However, many time I power on my laptop and then recognize that I still have to fetch my Yubikey. When I come back, the boot process has already failed.
How do I configure LUKS to also indefinitely wait until the Yubikey is plugged in?
This is my current setup:
/etc/crypttab Code: | # Volume Name Encrypted Device Key File Options
root UUID=a1e92a68-a977-4c99-8e94-5ae023b52ff1 - discard,fido2-device=auto,token-timeout=0 |
~ # cryptsetup luksDump /dev/sda6 Code: | LUKS header information
Version: 2
Epoch: 15
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: a1e92a68-a977-4c99-8e94-5ae023b52ff1
Label: Gentoo Encrypted Root
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
1: luks2
Key: 512 bits
Priority: preferred
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha512
Iterations: 1000
Salt: 08 85 4b 7b 75 7a ee 78 67 26 17 e9 7c 72 de bf
74 5e 64 fc 3f 3b 0d a2 e7 32 7c f5 4c ef 1a 3e
AF stripes: 4000
AF hash: sha512
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
2: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha512
Iterations: 1000
Salt: 9d b6 b4 2b 20 85 0c 85 a0 8c 82 cf 35 45 ba 5c
07 0a 58 21 13 8b 89 d2 42 66 41 99 13 cb f6 0c
AF stripes: 4000
AF hash: sha512
Area offset:548864 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
0: systemd-fido2
fido2-credential:
04 20 9c 6e 2e 1b 86 35 2d 6b b7 75 9f f4 2b 9a
17 80 5f 53 7c 29 61 93 e6 78 4f da 2a fd f5 80
af 87 b0 09 a1 46 90 9f 88 67 48 3b d2 a2 60 43
c2 a4 ed 3d c1 a3 05 e6 03 9e 70 2b 4d e7 3c 78
fido2-salt: 50 f1 dd 6d 07 78 53 0e 39 1d 2d f7 57 0f fd f2
d5 26 a6 20 97 24 54 a7 f8 d7 71 cd ea fd a8 75
fido2-rp: io.systemd.cryptsetup
fido2-clientPin-required:
false
fido2-up-required:
true
fido2-uv-required:
false
Keyslot: 1
1: systemd-fido2
fido2-credential:
2c 61 97 68 53 65 38 38 5b d1 41 dd f4 0a 17 52
a6 a9 d2 ac 48 d1 4a 5b 6b 63 5d dc f4 95 3c 6c
00 98 c9 9d dc 6b ef 2b 3e 4d c2 0e de ab a0 0d
cb 19 df 40 a0 80 12 6f c9 6e b7 f2 9a e5 45 9e
fido2-salt: 18 c5 45 91 d0 65 c9 92 31 18 71 9d 3e 35 36 e7
78 0f 81 3e ae e0 e7 d9 70 4e c9 9a f5 56 4c 32
fido2-rp: io.systemd.cryptsetup
fido2-clientPin-required:
false
fido2-up-required:
true
fido2-uv-required:
false
Keyslot: 2
Digests:
0: pbkdf2
Hash: sha256
Iterations: 81310
Salt: 46 ef 3a 05 2b 4d da 31 ec 23 84 8b 78 bf 5f 69
5a 10 20 29 6a 9f ba 8d 70 c9 6f d3 b1 e2 62 84
Digest: 6c b8 7c 61 b3 07 f0 46 e0 f8 51 b4 71 f0 66 1f
ba 47 61 73 52 4e 7f b0 f6 78 42 2e 42 71 c4 a8 | (Note: I have two Yubikey for backup reasons.)
Moreover, there two other minor inconveniences:- I am using Plymouth and there are no prompts from the graphical Plymouth screen, like "Plug in Token", "Touch Token Presence Indicator" or even error messages like "Failed to detect Token". I have to hit ESC and fall back to the text-based console to see these messages.
- If the boot process failed, because the Yubikey has not been plugged in, there is an error message on the text-based console, but I am unable to reboot the laptop via Strg+Alt+Entf or via ACPI event and pressing the power button. I have to power down the laptop forcefully by pressing the power button 3secs. Even if the actual issue cannot be fixed, it would be nice if that would work at least.
|
|
Back to top |
|
|
Brixhamite n00b
Joined: 15 Nov 2024 Posts: 1
|
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22870
|
Posted: Fri Nov 15, 2024 6:49 pm Post subject: |
|
|
Welcome to the forums. Unfortunately, this answer appears to be off-topic and unhelpful. OP specifically indicated a desire to wait for the key to be added, not removed. Further, the question is not about Microsoft Windows, and is not about locking the screen. Finally, the cited page is a mess of JavaScript and fails to render. |
|
Back to top |
|
|
zen_desu n00b
Joined: 25 Oct 2024 Posts: 68
|
Posted: Fri Nov 15, 2024 6:51 pm Post subject: |
|
|
If you use ugrd, it can attempt to use a yubikey (for GPG decryption), and if it fails, it will wait for you to press enter before it tries again. This isn't the exact same thing, but it lets you insert it later in the boot process without much trouble.
If you enable the `cryptsetup_prompt` option, it will require you to press enter before it attempts to decrypt.
ugrd only supports yubikeys being used for a GPG protected keyfile, so it may not do quite what you want. _________________ µgRD dev
Wiki writer |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5242 Location: Bavaria
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|