Two-factor authentication when mounting an encrypted LUKS partition using Yubikey 4
Part 3: Yubikey 4 and LUKS
Introduction
The article discusses the implementation of two-factor authentication using the Yubikey 4 key to mount an encrypted LUKS partition.
The process of implementing two-factor authentication using the Yubikey 4 key to mount an encrypted LUKS partition can be divided into three parts:
')
1. Preparation of the LUKS section.
2. Preparation for using the Yubikey 4 key in the operating system.
3. Directly use the Yubikey 4 key for two-factor authentication.
Initial conditions:
- Linux Mint 18 Sarah 64-bit
- Yubikey 4
Preparing the LUKS section
It is necessary to conduct a preliminary analysis of the existing LUKS section.
To use two-factor authentication using the Yubikey 4 key, we need one free LUKS slot of the partition. Therefore, you need to know how many slots are free and which ones.
In addition, it would be nice to introduce an additional (backup) key in case of loss (accidental overwriting) of the main key. As an additional security measure, a MasterKey dump can be created.
It is important to note that on a real system, not / dev / sdb1 can be used, but another device. The commands in the article are given for illustration. On your system, for example, this could be the device / dev / sdb5.
Eight slots for keys LUKS
In LUKS, eight slots are used for one encrypted partition, each of which can hold a separate key. Any of the eight keys can be used to decrypt a section. You can use only one key, or you can assign all eight.
To view all slots, use the cryptsetup command:
# cryptsetup luksDump /dev/sdb1 | grep Slot Key Slot 0: ENABLED Key Slot 1: ENABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED In this example:
- / dev / sdb1 - LUKS partition.
- Slots with keys start from number 0. Thus, slots 0 to 7 can be used.
- ENABLED - the slot contains the key assigned to the LUKS partition.
- Two slots are assigned to store keys.
Adding a new key
To add a new key - a passphrase - an encrypted LUKS partition, use the luksAddKey command:
# cryptsetup luksAddKey /dev/sdb1 Enter any passphrase: Enter new passphrase for key slot: Verify passphrase: In this example:
- / dev / sdb1 - encrypted partition
- Enter any passphrase: - enter any key that already exists
- Enter new passphrase for key slot: - enter a new key
- Verify passphrase: - re-entering a new key
A new key will be added to the next available slot. In this case, it will be slot 2.
# cryptsetup luksDump /dev/sdb1 | grep Slot Key Slot 0: ENABLED Key Slot 1: ENABLED Key Slot 2: ENABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED Adding a new key to the specified slot
To add a key to the specified slot, use the -S option with the slot number:
# cryptsetup luksAddKey /dev/sdb1 -S 5 # cryptsetup luksDump /dev/sdb1 | grep Slot Key Slot 0: ENABLED Key Slot 1: ENABLED Key Slot 2: ENABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: <b>ENABLED</b> Key Slot 6: DISABLED Key Slot 7: DISABLED Deleting an existing key
To delete an existing key, use the luksRemoveKey command:
# cryptsetup luksRemoveKey /dev/sdb1 Enter LUKS passphrase to be deleted: When deleting a key, the slot number is not used, it is necessary to enter exactly the passphrase - the key (the one that was assigned to the target slot).
# cryptsetup luksDump /dev/sdb1 | grep Slot Key Slot 0: ENABLED Key Slot 1: ENABLED Key Slot 2: ENABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED Key removal
To delete a key, use the luksKillSlot command. This command is used if you do not have a key for the target slot, but just want to remove the key from this slot.
Removing the key from slot number 2. You will be prompted to enter any key assigned to LUKS.
# cryptsetup luksKillSlot /dev/sdb1 2 Enter any remaining LUKS passphrase: Result:
# cryptsetup luksDump /dev/sdb1 | grep Slot Key Slot 0: ENABLED Key Slot 1: ENABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED Adding new LUKS key from file
It is also possible to add a new key from the file:
# cryptsetup luksAddKey /dev/sdb1 masterkeyfile Enter any passphrase: In this example:
- masterkeyfile contains the new key you want to add. This must be a binary (binary) file.
- When prompted to enter a passphrase, you must enter any of the existing keys for the specified partition / dev / sdb1.
Result:
# cryptsetup luksDump /dev/sdb1 | grep Slot Key Slot 0: ENABLED Key Slot 1: ENABLED Key Slot 2: ENABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED Resetting a forgotten LUKS key - setting a new key
If you have rebooted (your) server and cannot mount your encrypted LUKS partition because you have forgotten your LUKS password, you have no options. Data lost. We'll have to work with the partition again (encrypt, perhaps re-partition, create a file system, fill with data).
However, if the encrypted LUKS partition is still open, you did not reboot the system and you forgot the LUKS password for this partition that is still mounted, then you can assign a new LUKS key.
In the “I forgot my LUKS password” scenario, you can do the following two steps:
- Highlight the current encryption key from the LUKS section.
- Create a new LUKS key using a pre-allocated key.
In this example, the / home1 partition is mounted, which is an LUKS encrypted partition, but the password for it is unknown.
# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda1 127G 44G 76G 37% / /dev/mapper/home1 93G 188M 88G 1% /home1 The volume name is in the first column of the “df -h” command output after “/ dev / mapper /”, in this example the volume name is “home1”.
The following command will list all the encryption keys for all partitions that are mounted on the system:
# dmsetup table --showkeys home1: 0 197259264 crypt aes-cbc-essiv:sha256 607f482870c795a9b1e307ffbfc6643eaa219e9ef8c6773de02cd298c8fcda3c 0 8:17 4096 The field after "aes-cbc-essiv: sha256" is an encrypted password. Get the encrypted LUKS key and save it to a file:
# vi existinglukskey.txt 607f482870c795a9b1e307ffbfc6643eaa219e9ef8c6773de02cd298c8fcda3c So, now we convert the resulting key from a text file into a binary file. To do this, use the "xxd" command:
# xxd -r -p existinglukskey.txt existinglukskey.bin In this example:
- -r option for reverse conversion. This will convert hexdump to binary.
- The -p option to handle postscript. Here it is difficult for me to adequately translate the manual man (output in postscript continuous hexdump style. Also known as plain hexdump style).
- existinglukskey.txt input file.
- existinglukskey.bin output file. It will contain the existing LUKS encrypted password in a binary file.
And finally, add a new LUKS key using the existing key highlighted in the binary file:
# cryptsetup luksAddKey /dev/sdb1 --master-key-file <(cat existinglukskey.bin) Enter new passphrase for key slot: Verify passphrase: In this example:
- --master-key-file Specifies a binary file. Do not use the input existinglukskey.txt file. Use the output existinglukskey.bin file.
- As you can see, the “cryptsetup luksAddKey” command does not ask a question about the existing LUKS password, since it is taken from a binary file.
- When the “Enter new passphrase for key slot:” command prompt appears, enter the new LUKS password. And, this time, do not forget it.
Dump LUKS MasterKey
You can also dump MasterKey and store it in a safe place. Remember that using MasterKey dump anyone can access your LUKS section.
# cryptsetup luksDump --dump-master-key /dev/sdb1 Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: LUKS header information for /dev/sdb1 Cipher name: aes Cipher mode: cbc-essiv:sha256 Payload offset: 4096 UUID: 146d639a-757c-4bcb-aee6-8fe815345104 MK bits: 256 MK dump: 60 7f 48 28 70 c7 95 a9 b1 e3 07 ff bf c6 64 3e aa 21 9e 9e f8 c6 77 3d e0 2c d2 98 c8 fc da 3c So, using the above methods, it is necessary for further action to do the following:
- Identify the device (s) with an encrypted LUKS partition.
- Determine which slots are free to write the key (s).
- If necessary, add a new key (backup).
Sources
The translation is made on the basis of this site .
A full look at the work of the cryptsetup utility is beyond the scope of this article.
Those interested can independently get acquainted with the use and options of the cryptsetup utility. Here are some resources for getting started : wiki.archlinux.org , gitlab.com .
A full look at the work of the cryptsetup utility is beyond the scope of this article.
Those interested can independently get acquainted with the use and options of the cryptsetup utility. Here are some resources for getting started : wiki.archlinux.org , gitlab.com .
Preparing to use the key Yubikey 4 in the operating system
You must install the software to work with the Yubikey 4 key. On Ubuntu-based systems version 16.04 and later, the following commands are executed:
1. sudo apt-get install yubikey-luks
2. sudo apt-get install yubikey-personalization
3. Insert the Yubikey 4 key into the USB slot and execute the command:
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible Yubikey has two slots. It uses slot number 2, so slot number 1 can be used in the normal "OTP" mode.
4. To “bind” the Yubikey 4 key to the LUKS slot, use the “yubikey-luks-enroll” command. The executable file (script) is located at / usr / bin / yubikey-luks-enroll. The script assumes that the LUKS partition is on the / dev / sda5 device. If this is not the case in your case, copy the script to your home directory and correct the line:
DISK="/dev/sda5" It should be noted that there is a difference between the device name used for the encrypted partition in systems with BIOS and UEFI. For systems booting using BIOS, the default encryption volume name is / dev / sda5. For systems with a UEFI boot, the default volume name for encrypted partitions / dev / sda3.
5. After adjusting the parameters in the script yubikey-luks-enroll - run it. When the script is executed, a new password will be requested, which will be sent to Yubikey 4 to create a response (challenge-response mode) and which you can use for two-factor authentication during system boot.
Using the Yubikey 4 key for two-factor authentication
- Insert the Yubikey 4 key into the USB slot of the computer.
- Turn on the computer.
- In the password input field, enter the call password - the password created when the yubikey-luks-enroll script was run. Press the Enter key on the keyboard.
- After sending the password to the Yubikey key and receiving the answer, the LUKS partition decryption process will begin, after which the operating system will be loaded.
- After the decryption process is complete, the Yubikey 4 key can be removed from the USB slot.
In case of loss (absence) of the Yubikey 4 key, it is still possible to use the previously entered password phrase to decrypt the section. If, of course, the passphrase was previously entered and saved in one of the LUKS slots of the section.
Conclusion
The use of a Yubikey device for use as a key as the second factor of the authentication process can significantly increase the security of working with encrypted LUKS partitions.
Source: https://habr.com/ru/post/329648/
All Articles