This package allows you to automatically decrypt your LUKS-encrypted partitions using a yubikey.
-
Have a LUKS partition already set up using
cryptsetup
with an unlockable passphrase (for example,/dev/sda5
)Be sure to SAVE this passphrase in case of failure!
-
Set up your Yubikey's challenge/response mechanism in its slot 1 with ykpersonalize, like this:
ykpersonalize -1 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
(note the
-1
indicating usage of slot 1) -
Add your Yubikey challenge/response mechanism as a password for your LUKS disk:
clevis luks bind -d <DEVICE> yubikey '{}'
(substitute your partition/device for , like /dev/sda5)
-
Obtain the UUID for your device, and edit
/etc/crypttab
to tell initramfs that it needs decryption:-
blkid
----> Find the UUID of your device from this output -
Add a line to /etc/crypttab:
luksDevice <UUID>
(
luksDevice
is an arbitrary name, and can be whatever you like - it will show up that way in /dev/mapper)(Substitute
<UUID>
for the disk UUID found in step a)
-
-
Regenerate initramfs to automatically decrypt/open drive using Yubikey when system boots:
-
dracut -v --force --regenerate-all
-
Examine the output of this command - ensure "Including module: clevis-pin-yubikey" is present. This ensures decryption will work automatically upon reboot
-
-
Reboot and test with the yubikey inserted, and then without. With the Yubikey absent, the system should fail to boot and prompt for the original LUKS passphrase to unlock
Be sure to test both modes of decryption, with the Yubikey present and using the original passphrase. No hardware lasts forever!
The scripts that form the core of this plugin were originally forked from https://github.com/anatol/clevis.go and modified by CIQ to work with the packages available in Rocky Linux