NAME

yubikey-luks-enroll - enroll your yubikey for usage with LUKS

SYNOPSIS

yubikey-luks-enroll [ -s 3 ] [ -d /dev/sda6 ] [ -c ]

DESCRIPTION

With this tool you can take a YubiKey with challenge-response enabled on slot 2 to add a LUKS / cryptsetup key slot.

Your chosen PIN or password, plus your YubiKey can generate a response that is added as a key to the cryptsetup disk.

On the next boot you can insert your YubiKey into a USB slot, enter your password, to unlock the disk. Alternatively you can enter any other passphrase that is valid for that disk.

OPTIONS

The following options change the behavior of the tool.

-h

Show summary of options.

-s

The LUKS slot to save the passphrase to. (default: 7)

-c

Clear the chosen LUKS slot at first.

-d

The disk device to work with (default: /dev/sda3)

PREREQUISITES

Before adding the Yubikey to the LUKS slot, you need to initialize your Yubikey. You can do so using the privacyIDEA management system or simply by using the command line. The following command will create a key for challenges response in Yubikey slot 2:

ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

After this, you can use yubikey-luks-enroll to assign this Yubikey to an LUKS slot.

SEE ALSO

cryptsetup(1), ykpersonalize(1), ykchalresp(1).