nagmat84
Apprentice
Joined: 27 Mar 2007
Posts: 260
|
 Posted: Sun Oct 27, 2024 12:51 pm Post subject: How to wait for Yubikey to be plugged-in indefinitely? |
 |
|
I have set up root partition encryption with LUKS, Fido2, Yubikey and Dracut. I have set up the token timeout value in /etc/crypttab to zero, aka infinite. However, this only seems to affect the time to wait until someone touches the presence confirmation on the Yubikey, if the Yubikey already has been plugged in before boot time. The timeout values does not seem to affect the time to wait until the Yubikey becomes available in case it hasn't been plugged in at all.
However, many time I power on my laptop and then recognize that I still have to fetch my Yubikey. When I come back, the boot process has already failed.
How do I configure LUKS to also indefinitely wait until the Yubikey is plugged in?
This is my current setup:
/etc/crypttab | Code: | # Volume Name Encrypted Device Key File Options
root UUID=a1e92a68-a977-4c99-8e94-5ae023b52ff1 - discard,fido2-device=auto,token-timeout=0 |
~ # cryptsetup luksDump /dev/sda6 | Code: | LUKS header information
Version: 2
Epoch: 15
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: a1e92a68-a977-4c99-8e94-5ae023b52ff1
Label: Gentoo Encrypted Root
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
1: luks2
Key: 512 bits
Priority: preferred
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha512
Iterations: 1000
Salt: 08 85 4b 7b 75 7a ee 78 67 26 17 e9 7c 72 de bf
74 5e 64 fc 3f 3b 0d a2 e7 32 7c f5 4c ef 1a 3e
AF stripes: 4000
AF hash: sha512
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
2: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha512
Iterations: 1000
Salt: 9d b6 b4 2b 20 85 0c 85 a0 8c 82 cf 35 45 ba 5c
07 0a 58 21 13 8b 89 d2 42 66 41 99 13 cb f6 0c
AF stripes: 4000
AF hash: sha512
Area offset:548864 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
0: systemd-fido2
fido2-credential:
04 20 9c 6e 2e 1b 86 35 2d 6b b7 75 9f f4 2b 9a
17 80 5f 53 7c 29 61 93 e6 78 4f da 2a fd f5 80
af 87 b0 09 a1 46 90 9f 88 67 48 3b d2 a2 60 43
c2 a4 ed 3d c1 a3 05 e6 03 9e 70 2b 4d e7 3c 78
fido2-salt: 50 f1 dd 6d 07 78 53 0e 39 1d 2d f7 57 0f fd f2
d5 26 a6 20 97 24 54 a7 f8 d7 71 cd ea fd a8 75
fido2-rp: io.systemd.cryptsetup
fido2-clientPin-required:
false
fido2-up-required:
true
fido2-uv-required:
false
Keyslot: 1
1: systemd-fido2
fido2-credential:
2c 61 97 68 53 65 38 38 5b d1 41 dd f4 0a 17 52
a6 a9 d2 ac 48 d1 4a 5b 6b 63 5d dc f4 95 3c 6c
00 98 c9 9d dc 6b ef 2b 3e 4d c2 0e de ab a0 0d
cb 19 df 40 a0 80 12 6f c9 6e b7 f2 9a e5 45 9e
fido2-salt: 18 c5 45 91 d0 65 c9 92 31 18 71 9d 3e 35 36 e7
78 0f 81 3e ae e0 e7 d9 70 4e c9 9a f5 56 4c 32
fido2-rp: io.systemd.cryptsetup
fido2-clientPin-required:
false
fido2-up-required:
true
fido2-uv-required:
false
Keyslot: 2
Digests:
0: pbkdf2
Hash: sha256
Iterations: 81310
Salt: 46 ef 3a 05 2b 4d da 31 ec 23 84 8b 78 bf 5f 69
5a 10 20 29 6a 9f ba 8d 70 c9 6f d3 b1 e2 62 84
Digest: 6c b8 7c 61 b3 07 f0 46 e0 f8 51 b4 71 f0 66 1f
ba 47 61 73 52 4e 7f b0 f6 78 42 2e 42 71 c4 a8 |
(Note: I have two Yubikey for backup reasons.)
Moreover, there two other minor inconveniences:- I am using Plymouth and there are no prompts from the graphical Plymouth screen, like "Plug in Token", "Touch Token Presence Indicator" or even error messages like "Failed to detect Token". I have to hit ESC and fall back to the text-based console to see these messages.
- If the boot process failed, because the Yubikey has not been plugged in, there is an error message on the text-based console, but I am unable to reboot the laptop via Strg+Alt+Entf or via ACPI event and pressing the power button. I have to power down the laptop forcefully by pressing the power button 3secs. Even if the actual issue cannot be fixed, it would be nice if that would work at least.
|
|
Kernel & Hardware
