Use Yubikey to unlock LUKS on Root partition

Hello,
I am want to decrypt my LUKS encrypted root partition with my yubikey.
Currently the boot and boot/efi are decrypted while the root is encrypted.
This causes to be prompted for LUKS passphrase after I select Garuda Linux from the grub menu. This is as intended.

What I’ve tried:

  • yubikey setup as FIDO2 on ykman gui
  • changed LUKS encryption to LUKS2
  • sudo cryptsetup token add --type systemd-fido2 --key-slot=0 --key-description=“my-fido2-key” /dev/nvme0n1p7

  • created file /etc/dracut.conf.d/yubikey-fido2.conf with contents:
# Enable systemd-fido2 support
add_drivers+=" fido2 "
add_dracutmodules+="crypt systemd"
add_drivers+="hid_generic usbhid xhci_pci"

Then

sudo dracut --force
reboot

Failed boot with Yubikey from var/log/boot.log:

------------ Mon Nov 13 00:33:17 PST 2023 ------------
[  OK  ] Started Show Plymouth Boot Screen.
[  OK  ] Found device Samsung SSD 980 PRO 1TB 7.
[  OK  ] Started Forward Password Requests to Plymouth Directory Watch.
[  OK  ] Reached target Smart Card.
Activating swap Compressed Swap on /dev/zram0...
Starting Cryptography Setup for luks-swap...
Starting File System Check on /dev/disk/by-uuid/D9CB-58FF...
[  OK  ] Finished File System Check on /dev/disk/by-uuid/D9CB-58FF.
[  OK  ] Stopped Virtual Console Setup.
Stopping Virtual Console Setup...
Starting Virtual Console Setup...
[  OK  ] Created slice Slice /system/systemd-backlight.
[  OK  ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
Starting Load/Save Screen Backlight Brightness of leds:platform::kbd_backlight...
Starting Load/Save RF Kill Switch Status...
[  OK  ] Activated swap Compressed Swap on /dev/zram0.
[  OK  ] Reached target Swaps.
[  OK  ] Finished Load/Save Screen Backlight Brightness of leds:platform::kbd_backlight.
[  OK  ] Started Load/Save RF Kill Switch Status.
[  OK  ] Finished Virtual Console Setup.
Starting Load Kernel Module dm_mod...
Starting Load Kernel Module loop...
[  OK  ] Finished Load Kernel Module dm_mod.
[  OK  ] Finished Load Kernel Module loop.
Starting Load Kernel Module dm_mod...
Starting Load Kernel Module loop...
[  OK  ] Finished Load Kernel Module dm_mod.
[  OK  ] Finished Load Kernel Module loop.
Mounting /boot...
Mounting /tmp...
[  OK  ] Mounted /tmp.
[  OK  ] Mounted /boot.
Mounting /boot/efi...
Starting Load Kernel Module dm_mod...
Starting Load Kernel Module loop...
[  OK  ] Finished Load Kernel Module dm_mod.
[  OK  ] Mounted /boot/efi.
[  OK  ] Finished Load Kernel Module loop.
[  OK  ] Reached target Local File Systems.
Starting Tell Plymouth To Write Out Runtime Data...
Starting Set Up Additional Binary Formats...
Starting Create Volatile Files and Directories...
Mounting Arbitrary Executable File Formats File System...
[  OK  ] Mounted Arbitrary Executable File Formats File System.
[  OK  ] Finished Set Up Additional Binary Formats.
[  OK  ] Finished Tell Plymouth To Write Out Runtime Data.
[  OK  ] Finished Create Volatile Files and Directories.
Starting Userspace Out-Of-Memory (OOM) Killer...
Starting Network Time Synchronization...
Starting Record System Boot/Shutdown in UTMP...
[  OK  ] Finished Record System Boot/Shutdown in UTMP.
[  OK  ] Started Network Time Synchronization.
[  OK  ] Reached target System Time Set.
[  OK  ] Started Userspace Out-Of-Memory (OOM) Killer.
[FAILED] Failed to start Cryptography Setup for luks-swap.
See 'systemctl status "systemd-cryptsetup@luks\\x2dswap.service"' for details.
[DEPEND] Dependency failed for Local Encrypted Volumes.

systemctl status “systemd-cryptsetup@luks\x2dswap.service”
Unit systemd-cryptsetup@luks\x2dswap.service could not be found.
^ this could be the issue


sudo cat /etc/crypttab
[sudo] password for hardene:
# /etc/crypttab: mappings for encrypted partitions.
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# See crypttab(5) for the supported syntax.
#
# NOTE: You need not list your root (/) partition here, but it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf). The same applies
#       to encrypted swap, which should be set up with mkinitcpio-openswap
#       for resume support.
#
# <name>               <device>                         <password> <options>
luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7 UUID=09eab190-cdfe-41c7-9c52-13c4350ae0a7 none luks,token_type=systemd-fido2

lsblk -f
NAME                   FSTYPE FSVER LABEL      UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
zram0                                                                                              [SWAP]
nvme0n1
├─nvme0n1p1            ntfs         WINRE_DRV  042EA7DD2EA7C650
├─nvme0n1p2            vfat   FAT32 SYSTEM_DRV BAA4-675F
├─nvme0n1p3
├─nvme0n1p4            BitLoc 2
├─nvme0n1p5            btrfs        boot       40a8c0da-6397-430e-b5e9-9b4f3193c50b  799.7M    11% /boot
├─nvme0n1p6            vfat   FAT32            D9CB-58FF                             476.3M     7% /boot/efi
└─nvme0n1p7            crypto 2                09eab190-cdfe-41c7-9c52-13c4350ae0a7
└─luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7
btrfs                   ba36aca1-7437-429c-8dfc-db04d64233f7  450.4G     2% /var/cache
/var/tmp
/var/log
/srv
/home
/root
/
sudo cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a device; this may
# be used with UUID= as a more robust way to name devices that works even if
# disks are added and removed. See fstab(5).
#
# <file system>             <mount point>  <type>  <options>  <dump>  <pass>
UUID=40a8c0da-6397-430e-b5e9-9b4f3193c50b /boot          btrfs   defaults,noatime,compress=zstd 0 0
UUID=D9CB-58FF                            /boot/efi      vfat    defaults,noatime 0 2
/dev/mapper/luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7 /              btrfs   subvol=/@,defaults,noatime,compress=zstd 0 0
/dev/mapper/luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7 /home          btrfs   subvol=/@home,defaults,noatime,compress=zstd 0 0
/dev/mapper/luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7 /root          btrfs   subvol=/@root,defaults,noatime,compress=zstd 0 0
/dev/mapper/luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7 /srv           btrfs   subvol=/@srv,defaults,noatime,compress=zstd 0 0
/dev/mapper/luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7 /var/cache     btrfs   subvol=/@cache,defaults,noatime,compress=zstd 0 0
/dev/mapper/luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7 /var/log       btrfs   subvol=/@log,defaults,noatime,compress=zstd 0 0
/dev/mapper/luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7 /var/tmp       btrfs   subvol=/@tmp,defaults,noatime,compress=zstd 0 0
tmpfs                                     /tmp           tmpfs   defaults,noatime,mode=1777 0 0

cryptsetup --version
cryptsetup 2.6.1 flags: UDEV BLKID KEYRING KERNEL_CAPI

ykman --version
YubiKey Manager (ykman) version: 5.2.1

ykman info

Device type: YubiKey 5 NFC
Serial number: 20603111
Firmware version: 5.4.3
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.

Applications    USB             NFC
OTP             Enabled         Enabled
FIDO U2F        Enabled         Enabled
FIDO2           Enabled         Enabled
OATH            Enabled         Enabled
PIV             Enabled         Enabled
OpenPGP         Enabled         Enabled
YubiHSM Auth    Disabled        Disabled
garuda-inxi
System:
Kernel: 6.6.2-zen1-1-zen arch: x86_64 bits: 64 compiler: gcc v: 13.2.1
clocksource: tsc available: acpi_pm parameters: BOOT_IMAGE=/vmlinuz-linux-zen
root=UUID=ba36aca1-7437-429c-8dfc-db04d64233f7 rw rootflags=subvol=@
quiet rd.luks.uuid=09eab190-cdfe-41c7-9c52-13c4350ae0a7 loglevel=3
ibt=off
Desktop: KDE Plasma v: 5.27.9 tk: Qt v: 5.15.11 wm: kwin_wayland vt: 1
dm: SDDM Distro: Garuda Linux base: Arch Linux
Machine:
Type: Convertible System: LENOVO product: 82R7 v: IdeaPad Flex 5 14IAU7
serial: <superuser required> Chassis: type: 31 v: IdeaPad Flex 5 14IAU7
serial: <superuser required>
Mobo: LENOVO model: LNVNB161216 v: SDK0T76463 WIN
serial: <superuser required> UEFI: LENOVO v: J7CN44WW date: 05/24/2023
Battery:
ID-1: BAT0 charge: 41.8 Wh (79.5%) condition: 52.6/52.5 Wh (100.1%)
volts: 12.5 min: 11.5 model: SMP L21M3PE0 type: Li-poly serial: <filter>
status: not charging cycles: 56
CPU:
Info: model: 12th Gen Intel Core i5-1235U bits: 64 type: MST AMCP
arch: Alder Lake level: v3 note: check built: 2021+
process: Intel 7 (10nm ESF) family: 6 model-id: 0x9A (154) stepping: 4
microcode: 0x430
Topology: cpus: 1x cores: 10 mt: 2 tpc: 2 st: 8 threads: 12 smt: enabled
cache: L1: 928 KiB desc: d-8x32 KiB, 2x48 KiB; i-2x32 KiB, 8x64 KiB
L2: 6.5 MiB desc: 2x1.2 MiB, 2x2 MiB L3: 12 MiB desc: 1x12 MiB
Speed (MHz): avg: 560 high: 2072 min/max: 400/4400:3300 scaling:
driver: intel_pstate governor: performance cores: 1: 400 2: 400 3: 400
4: 2072 5: 400 6: 400 7: 657 8: 400 9: 400 10: 400 11: 400 12: 400
bogomips: 59904
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Vulnerabilities: <filter>
Graphics:
Device-1: Intel Alder Lake-UP3 GT2 [Iris Xe Graphics] vendor: Lenovo
driver: i915 v: kernel arch: Gen-12.2 process: Intel 10nm built: 2021-22+
ports: active: eDP-1 empty: DP-1,DP-2,HDMI-A-1 bus-ID: 00:02.0
chip-ID: 8086:46a8 class-ID: 0300
Device-2: Bison Integrated Camera driver: uvcvideo type: USB rev: 2.0
speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 3-6:3 chip-ID: 5986:214d
class-ID: fe01 serial: <filter>
Display: wayland server: X.org v: 1.21.1.9 with: Xwayland v: 23.2.2
compositor: kwin_wayland driver: X: loaded: modesetting
alternate: fbdev,intel,vesa dri: iris gpu: i915 display-ID: 0
Monitor-1: eDP-1 res: 1536x960 size: N/A modes: N/A
API: EGL v: 1.5 hw: drv: intel iris platforms: device: 0 drv: iris
device: 1 drv: swrast surfaceless: drv: iris wayland: drv: iris x11:
drv: iris inactive: gbm
API: OpenGL v: 4.6 compat-v: 4.5 vendor: intel mesa v: 23.2.1-arch1.2
glx-v: 1.4 direct-render: yes renderer: Mesa Intel Graphics (ADL GT2)
device-ID: 8086:46a8 memory: 14.83 GiB unified: yes display-ID: :1.0
API: Vulkan v: 1.3.269 layers: 9 device: 0 type: integrated-gpu name: Intel
Graphics (ADL GT2) driver: mesa intel v: 23.2.1-arch1.2
device-ID: 8086:46a8 surfaces: xcb,xlib,wayland device: 1 type: cpu
name: llvmpipe (LLVM 16.0.6 256 bits) driver: mesa llvmpipe
v: 23.2.1-arch1.2 (LLVM 16.0.6) device-ID: 10005:0000
surfaces: xcb,xlib,wayland
Audio:
Device-1: Intel Alder Lake PCH-P High Definition Audio vendor: Lenovo
driver: sof-audio-pci-intel-tgl
alternate: snd_hda_intel,snd_sof_pci_intel_tgl bus-ID: 00:1f.3
chip-ID: 8086:51c8 class-ID: 0401
API: ALSA v: k6.6.2-zen1-1-zen status: kernel-api with: aoss
type: oss-emulator tools: N/A
Server-1: PipeWire v: 0.3.85 status: active with: 1: pipewire-pulse
status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
Device-1: Intel Alder Lake-P PCH CNVi WiFi driver: iwlwifi v: kernel
bus-ID: 00:14.3 chip-ID: 8086:51f0 class-ID: 0280
IF: wlp0s20f3 state: up mac: <filter>
Bluetooth:
Device-1: Intel AX201 Bluetooth driver: btusb v: 0.8 type: USB rev: 2.0
speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 3-10:5 chip-ID: 8087:0026
class-ID: e001
Report: btmgmt ID: hci0 rfk-id: 2 state: down bt-service: enabled,running
rfk-block: hardware: no software: no address: <filter> bt-v: 5.2 lmp-v: 11
status: discoverable: no pairing: no
Drives:
Local Storage: total: 931.51 GiB used: 10.56 GiB (1.1%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Samsung model: SSD 980 PRO 1TB
size: 931.51 GiB block-size: physical: 512 B logical: 512 B speed: 63.2 Gb/s
lanes: 4 tech: SSD serial: <filter> fw-rev: 5B2QGXA7 temp: 48.9 C
scheme: GPT
Partition:
ID-1: / raw-size: 462.09 GiB size: 462.09 GiB (100.00%)
used: 10.42 GiB (2.3%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7
ID-2: /boot raw-size: 1 GiB size: 1 GiB (100.00%) used: 111.9 MiB (10.9%)
fs: btrfs dev: /dev/nvme0n1p5 maj-min: 259:5
ID-3: /boot/efi raw-size: 512 MiB size: 511 MiB (99.80%)
used: 34.7 MiB (6.8%) fs: vfat dev: /dev/nvme0n1p6 maj-min: 259:6
ID-4: /home raw-size: 462.09 GiB size: 462.09 GiB (100.00%)
used: 10.42 GiB (2.3%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7
ID-5: /var/log raw-size: 462.09 GiB size: 462.09 GiB (100.00%)
used: 10.42 GiB (2.3%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7
ID-6: /var/tmp raw-size: 462.09 GiB size: 462.09 GiB (100.00%)
used: 10.42 GiB (2.3%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7
Swap:
Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
ID-1: swap-1 type: zram size: 15.19 GiB used: 768 KiB (0.0%) priority: 100
comp: zstd avail: lzo,lzo-rle,lz4,lz4hc,842 max-streams: 12 dev: /dev/zram0
Sensors:
System Temperatures: cpu: 48.0 C mobo: N/A
Fan Speeds (rpm): N/A
Info:
Processes: 306 Uptime: 17m wakeups: 0 Memory: total: 16 GiB note: est.
available: 15.19 GiB used: 3.4 GiB (22.4%) Init: systemd v: 254
default: graphical tool: systemctl Compilers: gcc: 13.2.1 Packages:
pm: pacman pkgs: 1811 libs: 526 tools: octopi,paru Shell: fish v: 3.6.1
running-in: konsole inxi: 3.3.31
Garuda (2.6.19-2):
System install date:     2023-11-22
Last full system update: 2023-11-23
Is partially upgraded:   No
Relevant software:       snapper NetworkManager dracut
Windows dual boot:       Probably (Run as root to verify)
Failed units:

Try:

sudo dracut-rebuild

I did this and it showed that my /etc/dracut.conf.d/yubikey-fid02 file had some errors.

I corrected it to be

add_drivers+=" hid_generic usbhid xhci_pci cryptd "

the allowed dracut-rebuild to successfully run. I rebooted and tried to use yubikey for passphrase but did not work.

the log showed to do this command to check error:

systemd-cryptsetup@luks\x2d09eab190\x2dcdfe\x2d41c7\x2d9c52\x2d13c4350ae0a7.service - Cryptography Setup for luks-09eab190-cdfe-41c7-9c52-13c4350ae0>
Loaded: loaded (/etc/crypttab; generated)
Active: active (exited) since Thu 2023-11-23 20:35:15 PST; 7min ago
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:[email protected](8)
Main PID: 467 (code=exited, status=0/SUCCESS)
CPU: 18.589s

Nov 23 20:34:22 Lenovo-Garuda systemd[1]: Starting Cryptography Setup for luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7...
Nov 23 20:34:22 Lenovo-Garuda systemd-cryptsetup[467]: Encountered unknown /etc/crypttab option 'token_type=systemd-fido2', ignoring.
Nov 23 20:34:42 Lenovo-Garuda systemd-cryptsetup[467]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/09eab190-cdfe->
Nov 23 20:34:46 Lenovo-Garuda systemd-cryptsetup[467]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Nov 23 20:34:48 Lenovo-Garuda systemd-cryptsetup[467]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/09eab190-cdfe->
Nov 23 20:34:53 Lenovo-Garuda systemd-cryptsetup[467]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Nov 23 20:35:13 Lenovo-Garuda systemd-cryptsetup[467]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/09eab190-cdfe->
Nov 23 20:35:15 Lenovo-Garuda systemd[1]: Finished Cryptography Setup for luks-09eab190-cdfe-41c7-9c52-13c4350ae0a7.

This is basically just saying the passphrase didn’t work. It was the passphrase that the yubikey put in. I’m not sure if this is how FIDO2 is supposed to work. Is there a specific way that FIDO2 has to be setup? Garuda looks like it supports FIDO2 since there are setup files for it.

I have never set this up myself so I am not sure. But the author’s blog post has a couple steps different than how you have it. Here they have a systemd-cryptenroll step:

Let’s say you already have your LUKS2 volume set up, and previously unlocked it with a simple passphrase. Plug in your token, and run:

# systemd-cryptenroll --fido2-device=auto /dev/sda5

(Replace /dev/sda5 with the underlying block device of your volume).

They also describe setting up /etc/crypttab a little differently than how you have it:

Before we can unlock the volume with this at boot, we need to allow FIDO2 unlocking via /etc/crypttab. For that, find the right entry for your volume in that file, and edit it like so:

myvolume /dev/sda5 - fido2-device=auto

Replace myvolume and /dev/sda5 with the right volume name, and underlying device of course. Key here is the fido2-device=auto option you need to add to the fourth column in the file.

Like I said, I’m not sure but maybe that would be worth a shot.

3 Likes

That article is exactly what I needed. Thank you for your help. I could not find this when I was looking online. I was going through so many steps just to get it to work when it really was just a couple steps.

For any future people trying to do this:

  • Load a live usb and in that session change the the LUKS encryption to LUKS2 of your system partition. You will need your original passphrase for this. You are done with the live usb
  • Back on system, run command

systemd-cryptenroll --fido2-device=auto /dev/sda5

  • changing sda5 to your LUKS partition you want to unlock with your yubikey
  • go to /etc/crypttab using your favorite text editor and with sudo, add this line

myvolume /dev/sda5 - fido2-device=auto

  • your partition should have a name, copy that to myvolume, change sda5 to your LUKS partition. Save and quit
  • run this command after done to rebuild your initramfs and apply the changes to use your yubikey

sudo dracut-rebuild

Once done reboot and you should be ask for your FIDO2 pin when your yubikey is inserted. Then touch the presence sensor on the yubikey. Then you will be signed in.

Cheers!

4 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.