Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to wait for Yubikey to be plugged-in indefinitely?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
nagmat84
Apprentice
Apprentice


Joined: 27 Mar 2007
Posts: 297

PostPosted: Sun Oct 27, 2024 12:51 pm    Post subject: How to wait for Yubikey to be plugged-in indefinitely? Reply with quote

I have set up root partition encryption with LUKS, Fido2, Yubikey and Dracut. I have set up the token timeout value in /etc/crypttab to zero, aka infinite. However, this only seems to affect the time to wait until someone touches the presence confirmation on the Yubikey, if the Yubikey already has been plugged in before boot time. The timeout values does not seem to affect the time to wait until the Yubikey becomes available in case it hasn't been plugged in at all.

However, many time I power on my laptop and then recognize that I still have to fetch my Yubikey. When I come back, the boot process has already failed.

How do I configure LUKS to also indefinitely wait until the Yubikey is plugged in?

This is my current setup:

/etc/crypttab
Code:
# Volume Name    Encrypted Device                              Key File    Options
root             UUID=a1e92a68-a977-4c99-8e94-5ae023b52ff1     -           discard,fido2-device=auto,token-timeout=0


~ # cryptsetup luksDump /dev/sda6
Code:
LUKS header information
Version:        2
Epoch:          15
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           a1e92a68-a977-4c99-8e94-5ae023b52ff1
Label:          Gentoo Encrypted Root
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 512 [bytes]

Keyslots:
  1: luks2
        Key:        512 bits
        Priority:   preferred
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      pbkdf2
        Hash:       sha512
        Iterations: 1000
        Salt:       08 85 4b 7b 75 7a ee 78 67 26 17 e9 7c 72 de bf
                    74 5e 64 fc 3f 3b 0d a2 e7 32 7c f5 4c ef 1a 3e
        AF stripes: 4000
        AF hash:    sha512
        Area offset:290816 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
  2: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      pbkdf2
        Hash:       sha512
        Iterations: 1000
        Salt:       9d b6 b4 2b 20 85 0c 85 a0 8c 82 cf 35 45 ba 5c
                    07 0a 58 21 13 8b 89 d2 42 66 41 99 13 cb f6 0c
        AF stripes: 4000
        AF hash:    sha512
        Area offset:548864 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
  0: systemd-fido2
        fido2-credential:
                    04 20 9c 6e 2e 1b 86 35 2d 6b b7 75 9f f4 2b 9a
                    17 80 5f 53 7c 29 61 93 e6 78 4f da 2a fd f5 80
                    af 87 b0 09 a1 46 90 9f 88 67 48 3b d2 a2 60 43
                    c2 a4 ed 3d c1 a3 05 e6 03 9e 70 2b 4d e7 3c 78
        fido2-salt: 50 f1 dd 6d 07 78 53 0e 39 1d 2d f7 57 0f fd f2
                    d5 26 a6 20 97 24 54 a7 f8 d7 71 cd ea fd a8 75
        fido2-rp:   io.systemd.cryptsetup
        fido2-clientPin-required:
                    false
        fido2-up-required:
                    true
        fido2-uv-required:
                    false
        Keyslot:    1
  1: systemd-fido2
        fido2-credential:
                    2c 61 97 68 53 65 38 38 5b d1 41 dd f4 0a 17 52
                    a6 a9 d2 ac 48 d1 4a 5b 6b 63 5d dc f4 95 3c 6c
                    00 98 c9 9d dc 6b ef 2b 3e 4d c2 0e de ab a0 0d
                    cb 19 df 40 a0 80 12 6f c9 6e b7 f2 9a e5 45 9e
        fido2-salt: 18 c5 45 91 d0 65 c9 92 31 18 71 9d 3e 35 36 e7
                    78 0f 81 3e ae e0 e7 d9 70 4e c9 9a f5 56 4c 32
        fido2-rp:   io.systemd.cryptsetup
        fido2-clientPin-required:
                    false
        fido2-up-required:
                    true
        fido2-uv-required:
                    false
        Keyslot:    2
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 81310
        Salt:       46 ef 3a 05 2b 4d da 31 ec 23 84 8b 78 bf 5f 69
                    5a 10 20 29 6a 9f ba 8d 70 c9 6f d3 b1 e2 62 84
        Digest:     6c b8 7c 61 b3 07 f0 46 e0 f8 51 b4 71 f0 66 1f
                    ba 47 61 73 52 4e 7f b0 f6 78 42 2e 42 71 c4 a8
(Note: I have two Yubikey for backup reasons.)

Moreover, there two other minor inconveniences:
  • I am using Plymouth and there are no prompts from the graphical Plymouth screen, like "Plug in Token", "Touch Token Presence Indicator" or even error messages like "Failed to detect Token". I have to hit ESC and fall back to the text-based console to see these messages.
  • If the boot process failed, because the Yubikey has not been plugged in, there is an error message on the text-based console, but I am unable to reboot the laptop via Strg+Alt+Entf or via ACPI event and pressing the power button. I have to power down the laptop forcefully by pressing the power button 3secs. Even if the actual issue cannot be fixed, it would be nice if that would work at least.
Back to top
View user's profile Send private message
Brixhamite
n00b
n00b


Joined: 15 Nov 2024
Posts: 1

PostPosted: Fri Nov 15, 2024 6:47 pm    Post subject: Reply with quote

If you are looking for a way to detect Fido key removal you might find this handy ;
https://answers.microsoft.com/en-us/windows/forum/all/how-can-i-automatically-lock-my-screen-when-a/1c94f3be-3787-47d6-b533-f0d1ede88710

In the discussion they refer to using the task scheduler to create a task triggered by the key removal, and also mentioned using a github tool "yubikey locker": https://github.com/sciber-io/yubikey-locker


Last edited by Brixhamite on Fri Nov 15, 2024 6:51 pm; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22975

PostPosted: Fri Nov 15, 2024 6:49 pm    Post subject: Reply with quote

Brixhamite wrote:
If you are looking for a way to detect Fido key removal you might find this handy ;
https://answers.microsoft.com/en-us/windows/forum/all/how-can-i-automatically-lock-my-screen-when-a/1c94f3be-3787-47d6-b533-f0d1ede88710
Welcome to the forums. Unfortunately, this answer appears to be off-topic and unhelpful. OP specifically indicated a desire to wait for the key to be added, not removed. Further, the question is not about Microsoft Windows, and is not about locking the screen. Finally, the cited page is a mess of JavaScript and fails to render.
Back to top
View user's profile Send private message
zen_desu
Tux's lil' helper
Tux's lil' helper


Joined: 25 Oct 2024
Posts: 99

PostPosted: Fri Nov 15, 2024 6:51 pm    Post subject: Reply with quote

If you use ugrd, it can attempt to use a yubikey (for GPG decryption), and if it fails, it will wait for you to press enter before it tries again. This isn't the exact same thing, but it lets you insert it later in the boot process without much trouble.

If you enable the `cryptsetup_prompt` option, it will require you to press enter before it attempts to decrypt.

ugrd only supports yubikeys being used for a GPG protected keyfile, so it may not do quite what you want.
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5298
Location: Bavaria

PostPosted: Sat Nov 16, 2024 12:26 am    Post subject: Reply with quote

nagmat84,

If you cannot find an automated solution, you can always add a line to the init script (“init”) of the initramfs manually (in the appropriate place):
Code:
read -p “Please insert yubikey and press enter to continue” nonvar

See here how to extract your initramfs and build it again:

https://wiki.gentoo.org/wiki/Custom_Initramfs#Extracting_the_cpio_archive
https://wiki.gentoo.org/wiki/Custom_Initramfs#Creating_a_separate_file
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum