Skip to content

Instantly share code, notes, and snippets.

@tschaefer

tschaefer/README.md

Created March 19, 2024 21:00
Show Gist options
  • Save tschaefer/e3e5454c114f19a323f7c926118a80de to your computer and use it in GitHub Desktop.
Save tschaefer/e3e5454c114f19a323f7c926118a80de to your computer and use it in GitHub Desktop.
Download ZIP
Yubikey for Debian root on native encrypted ZFS
Raw
README.md

Information

Following instructions enable 2FA via Yubikey challenge-response for Debian root native encrypted ZFS.

For general setup please follow the instructions in the OpenZFS Documentation.

Prepare Yubikey

Install management tools.

$ apt install yubikey-manager yubikey-personalization

Set up slot 2 in challenge-response mode with a generated key and enable touch to generate a response.

$ ykman otp chalresp --touch --generate 2

Prepare initramfs hook

Create the zfs-initramfs hook /etc/zfs/initramfs-tools-load-key.

trap 'stty echo' INT

stty -echo
printf "ZFS rpool challenge: "
read CHALLENGE
stty echo
printf "\n"

echo $CHALLENGE | ykchalresp -2 -i- | $ZFS load-key "${ENCRYPTIONROOT}"

Create the initramfs-tools hook /etc/initramfs-tools/hooks/yubikey-zfs

#!/bin/sh

set -e

PREREQ="zfs-initramfs"

prereqs()
{
    echo "$PREREQ"
}

case $1 in
    prereqs)
    prereqs
    exit 0
    ;;
esac

. /usr/share/initramfs-tools/hook-functions

copy_exec /usr/bin/ykchalresp
copy_exec /usr/bin/ykinfo

exit 0

Update initramfs

$ update-initramfs -u -v

Enroll Yubikey challenge-response

$ echo $CHALLENGE | ykchalresp -2 -i- | zfs change-key rpool
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment