Two-factor authentication when mounting an encrypted LUKS partition using Yubikey 4
Part 3: Yubikey 4 and LUKS

Introduction
This article discusses the implementation of two-factor authentication using the Yubikey 4 key to mount the encrypted LUKS partition.
The process of implementing two-factor authentication using the Yubikey 4 key to mount the encrypted LUKS partition can be divided into three parts:
1. Preparing the LUKS partition.
2. Preparing to use the Yubikey 4 key in the operating system.
3. Directly using the Yubikey 4 key for two-factor authentication.
Initial conditions:
- Linux Mint 18 Sarah 64-bit
- Yubikey 4
Preparing the LUKS section

A preliminary analysis of the existing LUKS section is necessary.
To use two-factor authentication using the Yubikey 4 key, we need one free slot in the LUKS section. Therefore, you need to know how many slots are free and which ones.
In addition, it will be nice to enter an additional (backup) key in case of loss (accidental rewriting) of the main key. As an additional security measure, a MasterKey dump can be created.
It is important to note that on a real system, not / dev / sdb1, but another device can be used. The commands in the article are given for illustration. On your system, for example, it may be the device / dev / sdb5.
Eight LUKS Key Slots
LUKS uses eight slots for one encrypted partition, each of which can store a separate key. Any of the eight keys can be used to decrypt the partition. You can use only one key, or you can assign all eight.
To view all slots, you must use the cryptsetup command :
# cryptsetup luksDump /dev/sdb1 | grep Slot
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDIn this example:
- / dev / sdb1 - LUKS section.
- Key slots start at number 0. Thus, you can use slots 0 through 7.
- ENABLED - the slot contains the key assigned to the LUKS section.
- Two slots are designated for storing keys.
Adding a new key
To add a new key - a passphrase - of the encrypted LUKS section, use the luksAddKey command:
# cryptsetup luksAddKey /dev/sdb1
Enter any passphrase:
Enter new passphrase for key slot:
Verify passphrase:In this example:
- / dev / sdb1 - encrypted partition
- Enter any passphrase: - enter any existing key
- Enter new passphrase for key slot: - enter a new key
- Verify passphrase: - repeat entering a new key
The new key will be added to the next available slot. In this case, it will be slot 2.
# cryptsetup luksDump /dev/sdb1 | grep Slot
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: ENABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDAdding a new key to the specified slot
To add a key to the specified slot, use the -S option with the slot number:
# cryptsetup luksAddKey /dev/sdb1 -S 5
# cryptsetup luksDump /dev/sdb1 | grep Slot
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: ENABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: ENABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDDelete an existing key
To delete an existing key, use the luksRemoveKey command:
# cryptsetup luksRemoveKey /dev/sdb1
Enter LUKS passphrase to be deleted:When deleting a key, the slot number is not used; you must enter the passphrase exactly - the key (the one that was assigned to the target slot).
# cryptsetup luksDump /dev/sdb1 | grep Slot
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: ENABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDKey Removal
To delete a key, use the luksKillSlot command. This command is used if you do not have a key for the target slot, but just want to remove the key from this slot.
Removing a key from slot number 2. You will be prompted to enter any assigned LUKS key.
# cryptsetup luksKillSlot /dev/sdb1 2
Enter any remaining LUKS passphrase:Result:
# cryptsetup luksDump /dev/sdb1 | grep Slot
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDAdding a new LUKS key from a file
It is also possible to add a new key from a file:
# cryptsetup luksAddKey /dev/sdb1 masterkeyfile
Enter any passphrase:In this example:
- masterkeyfile contains the new key that you want to add. It must be a binary (binary) file.
- When you are asked to enter a passphrase, you must enter any of the existing keys for the specified / dev / sdb1 partition.
Result:
# cryptsetup luksDump /dev/sdb1 | grep Slot
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: ENABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDReset a forgotten LUKS key - install a new key
If you rebooted (your) server and cannot mount your encrypted LUKS partition because you forgot your LUKS password, you have no options. Data is lost. We'll have to work with the partition again (encrypt, possibly re-partition, create a file system, fill it with data).
However, if the encrypted LUKS partition is still open, you did not reboot the system and you forgot the LUKS password for this partition that is still mounted, then you can assign a new LUKS key.
In the “I forgot my LUKS password” scenario, you can take the following two steps:
- Extract the current encryption key from the LUKS section.
- Create a new LUKS key using the pre-allocated key.
In this example, the / home1 partition is mounted, which is the encrypted LUKS partition, but the password for it is unknown.
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 127G 44G 76G 37% /
/dev/mapper/home1 93G 188M 88G 1% /home1The volume name is in the first column of the output of the “df -h” command after “/ dev / mapper /”, in this example the volume name is “home1”.
The following command will show a list of all encryption keys for all partitions that are mounted on the system:
# dmsetup table --showkeys
home1: 0 197259264 crypt aes-cbc-essiv:sha256 607f482870c795a9b1e307ffbfc6643eaa219e9ef8c6773de02cd298c8fcda3c 0 8:17 4096The field after "aes-cbc-essiv: sha256" is the encrypted password. Get the encrypted LUKS key and save it to a file:
# vi existinglukskey.txt
607f482870c795a9b1e307ffbfc6643eaa219e9ef8c6773de02cd298c8fcda3cSo, now we convert the received key from a text file to a binary file. To do this, use the "xxd" command:
# xxd -r -p existinglukskey.txt existinglukskey.binIn this example:
- -r option for inverse conversion. This will convert hexdump to binary.
- -p option to handle postscript. Here it’s hard for me to adequately translate the man manual (output in postscript continuous hexdump style. Also known as plain hexdump style).
- existinglukskey.txt input file.
- existinglukskey.bin output file. It will contain the existing encrypted LUKS password in a binary file.
And finally, add a new LUKS key using the existing key selected in the binary file:
# cryptsetup luksAddKey /dev/sdb1 --master-key-file <(cat existinglukskey.bin)
Enter new passphrase for key slot:
Verify passphrase:In this example:
- --master-key-file Specifies a binary file. Do not use the input existinglukskey.txt file. Use the output existinglukskey.bin file.
- As you can see, the cryptsetup luksAddKey command does not ask about the existing LUKS password, as it is taken from a binary file.
- When the command prompt “Enter new passphrase for key slot:” appears, enter the new LUKS password. And, this time, do not forget it.
Dump LUKS MasterKey
You can also dump MasterKey and store it in a safe place. Remember that using MasterKey dump anyone can have access to your LUKS section.
# cryptsetup luksDump --dump-master-key /dev/sdb1
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
LUKS header information for /dev/sdb1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Payload offset: 4096
UUID: 146d639a-757c-4bcb-aee6-8fe815345104
MK bits: 256
MK dump: 60 7f 48 28 70 c7 95 a9 b1 e3 07 ff bf c6 64 3e
aa 21 9e 9e f8 c6 77 3d e0 2c d2 98 c8 fc da 3cSo, using the methods described above, it is necessary to do the following for further actions:
- Identify device (s) with an encrypted LUKS partition.
- Determine which slots are free for writing key (s).
- If necessary, add a new key (backup).
A full discussion of the operation of the cryptsetup utility is beyond the scope of this article.
Those who wish can independently familiarize themselves with the application and options of the cryptsetup utility. Here are some resources to get you started : wiki.archlinux.org , gitlab.com .
Preparing to use the Yubikey 4 key in the operating system
You must install the software to work with the Yubikey key 4. On systems based on Ubuntu versions 16.04 and later , the following commands are executed:
1. sudo apt-get install yubikey-luks
2. sudo apt-get install yubikey-personalization
3. Insert into the USB slot key Yubikey 4 and execute the command:
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visibleYubikey has two slots. Slot # 2 is used here, so slot # 1 can be used in normal “OTP” mode.
4. To “bind” the Yubikey 4 key to the LUKS slot, use the “yubikey-luks-enroll” command. The executable file (script) is located at / usr / bin / yubikey-luks-enroll. The script assumes that the LUKS partition is on the device / dev / sda5. If this is not the case in your case, copy the script to your home directory and adjust the line:
DISK="/dev/sda5"It should be noted that there is a difference between the device name used for the encrypted partition in systems with BIOS and UEFI. For systems booting using the BIOS, the default volume name for encryption is / dev / sda5. For systems with UEFI boot, the default volume name for the encrypted partitions is / dev / sda3.
5. After adjusting the parameters in the script yubikey-luks-enroll - run it. When the script is executed, a new password will be requested, which will be sent to Yubikey 4 to create a response (challenge-response mode) and which you can use for two-factor authentication when booting the system.
Using Yubikey 4 Key for Two-Factor Authentication
- Insert the Yubikey 4 key into the USB slot of the computer.
- Turn on the computer.
- In the password input field, enter the call password - the password created when the yubikey-luks-enroll script was run. Press the enter key on the keyboard.
- After sending the call password to the Yubikey key and receiving a response, the process of decrypting the LUKS partition will begin, after which the operating system will be loaded.
- After the decryption process is complete, the Yubikey 4 key can be removed from the USB slot.
In case of loss (absence) of the Yubikey 4 key, it is still possible to use the previously entered password phrase to decrypt the partition. Unless, of course, the passphrase was previously entered and stored in one of the slots of the LUKS section.
Conclusion

Using a Yubikey device as a key as a second factor in the authentication process can significantly increase the security of working with encrypted LUKS partitions.