YubiKey based Full Disk Encryption (FDE) on Void Linux (luks1)


Contents (expandable)


This is an experiment, do not try this on your main device. Backup your important data.

If you want to correct or add something, please contact me.

Disclaimer

A more modern solution would be luks2 with a proper pre-boot authentication (PBA). But as the current grub version on void (2.12) doesn’t yet support argon2 (2.14), I rely on luks1.

Prerequisites

General process

First, install required packages

doas xbps-install -S clevis ykpers go nettle-tools xxd

Then clone the required plugins for clevis, build and move them to /usr/bin

git clone https://github.com/anatol/clevis.go clevis-go
cd clevis-go
go build
doas mv clevis-encrypt-yubikey clevis-decrypt-yubikey /usr/bin

If you previously skipped the initramfs decryption with a keyfile, remove it now from boot the partition due to it being now unecrypted.

Enroll Yubikey with clevis. Use the first or the second slot. Replace xxxxx with the actual partition name.

doas clevis luks bind -d /dev/xxxxx yubikey '{"slot":2}'

This should create a luksmeta header and add a key to luks keyslot. You can view changes using doas cryptsetup luksDump /dev/xxxxx and doas luksmeta show -d /dev/xxxxx

Next, configure dracut. Add required binaries to a custom config.

File /etc/dracut.conf.d/11-yubi.conf:

install_items+=" /usr/bin/nettle-pbkdf2 /usr/bin/xxd /usr/bin/clevis-decrypt-yubikey /usr/bin/ykchalresp /usr/bin/ykinfo "

I’m not sure if the following is necessary, but I added also:

add_dracutmodules+=" clevis "

Rebuild initramfs: doas dracut -f

Debug

If you changed the luks header (meta) in some way, the prompt for yubikey may fail with something like “yubikey not found.” Use luksmeta to debug or just nuke the meta and redo binding with clevis.