Re: cryptsetup Yubikey challenge-response support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for including me. So based on my research there would be two ways to do this:

1) Use libykpers, support for other vendor keys was added in version 1.20.0. This is how both OnlyKey and Yubikey are supported by Keepassxc - https://github.com/keepassxreboot/keepassxc/blob/develop/src/keys/drivers/YubiKey.cpp#L82

You could definitely use this method right now and both OnlyKey and Yubikey would be supported. However Nitrokey does not support this method right now, I am not sure if they would implement this feature or not. 

2) Use FIDO2 HMACSHA1 using something like this - https://github.com/Yubico/python-fido2, OnlyKey, YubiKey, and Nitrokey would support the HmacSecret extension here - https://github.com/Yubico/python-fido2/blob/master/examples/hmac_secret.py

There are tradeoffs to each approach, benefits of 1) are that its already well tested and stable, is a standard C library, works without needing a UDEV rule since the challenge-response is actually sent via the USB keyboard USB interface. Benefits of 2) It would support more hardware tokens, you could probably also have more secrets, with libykpers there is only support for 2 slots, meaning 2 hmac keys.

So really it would take some research to decide which way to go, I would be happy to assist with integration of OnlyKey and testing. 

Tim Steiner

CISSP-ISSAP, C|EH, OSCP, PMP

Email: T@xxxxxx

CryptoTrust | crp.to

Send me a secure message or file





---- On Wed, 08 Apr 2020 06:06:44 -0400 Nikolay Kichukov <hijacker@xxxxxxxxx> wrote ----

I am also interested, HMAC/SHA challenge-response for OnlyKey would be
great addition to cryptsetup.

I do not think this should be product specific implementation, but
general for all hardware tokens that support it: OnlyKey, Yubikey,
Nitrokey, etc.

Adding Tim here, who is the maintainer of the OnlyKey project and may be
interested.

Thanks,
-Nik

On 4/8/20 10:37 AM, 7heo wrote:
> Hello,
>
> I believe this is a very good idea, but the implementation should not be limited to yubikey. There are other solutions out there (nitrokey is one) that would also need to be supported IMHO.
>
> In addition, I would favor the implementation support of bare usb keys (mass storage), for those of us who wish to use their already-owned encrypted mass storage keys in order to unlock their drive.
>
> I had started to implement this (the latter part) in the Alpine Linux initramfs some years ago but given the complexity of the task and the lack of public interest, coupled with FOSS politics, I gave up on it.
>
> If you start working on an implementation, I'd be curious to see that and I could eventually participate.
>
> Also, your email looks just fine to me :)
>
> Cheers,
> 7heo
>
> On Apr 8, 2020 09:54, Dan Farrell <djfarrell@xxxxxxxxx> wrote:
>>
>> Hi,
>>
>> Hopefully this email comes through without HTML and property wrapped,
>> sorry if it doesn't.
>>
>> I am wondering if any group has started or is interested in adding
>> Yubikey challenge-response support to cryptsetup?
>>
>> The idea would be to add the option to insert a USB key to (optionally
>> automagically) unlock at boot time (or whenever cryptsetup is
>> running). There would be a backup password of course.
>>
>> I'm interested in doing this for myself if it's not underway at the
>> moment. I have some basic ideas on how to do this. I do realise this
>> could be done external to cryptsetup with distro support, but doing
>> that messing around with initramfs etc sounds painful, let alone each
>> distro would need be supported individually.
>>
>> If it's of no interest, that's ok, I'll do it for myself. But if there
>> is interest I would be willing to work with maintainers to find the
>> best way to do this and contribute the effort.
>>
>> Regards,
>>
>> Dan Farrell
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@xxxxxxxx
>> https://www.saout.de/mailman/listinfo/dm-crypt
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> https://www.saout.de/mailman/listinfo/dm-crypt
>


_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt

[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux