Paul Wouters <paul@xxxxxxxxxxxxx> writes: > On Fri, 8 Oct 2010, Nathanael D. Noblet wrote: > >> On 10/07/2010 10:58 PM, Paul Wouters wrote: >>> One usage of yubikey I would like very much is as storage for the AES >>> encryption key for disk encryption. I'd prefer the disk crypto key to >>> not be on the disk at all, protected by just a passphrase. It would be >>> nice to have it on a yubikey instead. >> >> I just ordered a yubikey for this express purpose, we have a product >> under development that has an encrypted partition that gets decrypted by >> a key on a USB thumbdrive - not the best... When I saw these I >> immediately thought I should see about getting them used to unlock >> encrypted partitions!... I'll keep you informed. > > Note that yubikeys are not (yet) usable for this. You cannot request the > AES key from it (AFAIK), only an OTP. And the OTP can also not be used to unlock > an AES key on the harddisk because it is different for each activation. The YubiKey with firmware 2.2 (latest) supports an challenge-response HMAC-SHA1 mode that probably can be used for this. You feed a pass phrase to the YubiKey, and it responds with a static string generated from the pass phrase using HMAC-SHA1. It will be the same output every time if the input is the same. The output would then be used as the encryption key. Of course, you still need to trust the software on your machine to not leak the HMAC-SHA1 output.. If anyone is trying something like this, I'm interested to hear about progress. Encrypting disks assisted with an external device is something I'd like to see. /Simon -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
