Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Decrypting LUKS with YubiKey at boot time

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
haowenl
Posts: 12
Joined: 2021-02-05 18:06
Been thanked: 1 time

Decrypting LUKS with YubiKey at boot time

#1 Post by haowenl »

Hi all,
I had a Debian 11 install and at install time, I used the guided partition option with LUKS enabled. At this point, I can input my password and decrypt the drive at boot time.
Then I followed this guide: https://wiki.debian.org/Smartcards/Yubi ... _boot_time.
Right now for some reason, I still see a command line prompt that as for my original password (I didn't kill the slot so that I have a backup). After entering that password, I see the Debian GUI interface that prompts me to insert YubiKey and input my YubiKey challenge password. So I'm trying to do those things:

1. How do I disable the initial prompt that asks me for my original password? What is that prompt trying to decrypt? (I thought it's decrypting my main partition, but how come I need to decrypt it again with YubiKey?
2. Now on the GUI prompt, I had to input my challenge password twice, once for my main partition and once my swap partition. How would I configure it so that I only need to do that once? I guess I also don't understand why I don't need to input my password twice before configuring YubiKey.

Thank you so much in advance! :D

EDIT 1: I looked into it and discovered the use of crypt_keyfile.bin. If I understand correctly, I'm able to use 1 password to decrypt this file, and then use it to decrypt both partitions. Please correct me if I'm wrong, but this is what I feel is happening before I configured YubiKey. So I changed crypttab password column to none, but for some reason that does not resolve problem 1 above, which is surprising for me.

Post Reply