Yubikey, luks disk encryption password, and usb-vm ?
452 views
Skip to first unread message
Haw...@bitmessage.ch
Jun 4, 2017, 4:03:19 PM6/4/17
to qubes...@googlegroups.com
When using a usb-vm, my usb keyboard is not accessible at boot time,
and thus my disk encryption password must be typed on the built-in
keyboard.
When not using a usb-vm, a usb keyboard can be used to enter the disk
encryption password.
When using a simple static password at boot typed by the yubikey (which
acts like a keyboard), it has the same limitations as the usb keyboard,
wherein it can't type the disk password when a usb-vm is being used.
I could not determine whether the documentation discussing
challenge-response addresses this problem with boot-time disk passwords
as some sub-component ( https://www.qubes-os.org/doc/yubi-key/ ). I only
see the screensaver discussed, but not disk passwords at boot.
While still using a usb-vm to manage all usb devices, is there any way
to authorize the yubikey automatically at boot time so it can type in
a password for me?
Also, here: ( https://github.com/adubois/qubes-app-linux-yubikey), am I
missing the referenced qubes-yubikey-vm and qubes-yubikey-dom0 in the
repos, because they don't seem to exist?
Thanks!
and thus my disk encryption password must be typed on the built-in
keyboard.
When not using a usb-vm, a usb keyboard can be used to enter the disk
encryption password.
When using a simple static password at boot typed by the yubikey (which
acts like a keyboard), it has the same limitations as the usb keyboard,
wherein it can't type the disk password when a usb-vm is being used.
I could not determine whether the documentation discussing
challenge-response addresses this problem with boot-time disk passwords
as some sub-component ( https://www.qubes-os.org/doc/yubi-key/ ). I only
see the screensaver discussed, but not disk passwords at boot.
While still using a usb-vm to manage all usb devices, is there any way
to authorize the yubikey automatically at boot time so it can type in
a password for me?
Also, here: ( https://github.com/adubois/qubes-app-linux-yubikey), am I
missing the referenced qubes-yubikey-vm and qubes-yubikey-dom0 in the
repos, because they don't seem to exist?
Thanks!
Patrik Hagara
Jun 4, 2017, 4:30:06 PM6/4/17
to Haw...@bitmessage.ch, qubes...@googlegroups.com
the Linux kernel boot (but not before). If you need to use USB devices
during Qubes OS boot (keyboard, yubikey, anti-evil-maid, ...) and don't
mind rigorously checking nobody has plugged any suspicious USB devices
into your machine before powering it on (as you should be doing anyway),
you can follow the steps outlined below.
There's a Linux kernel command line argument you need to remove from
/etc/default/grub -- find the line starting with "GRUB_CMDLINE_LINUX"
and drop the "rd.qubes.hide_all_usb" argument. Save the changes and
rebuild grub configuration using `sudo grub2-mkconfig -o
/boot/grub2/grub.cfg` and then reboot.
Please note that if you have anti-evil-maid installed, you also need to
re-run `anti-evil-maid-install` script on your AEM device. Unsealing of
your secrets will, as expected, fail during next boot.
Once you reboot without this option, you can use any USB device normally.
Cheers,
Patrik
Haw...@bitmessage.ch
Jun 5, 2017, 12:33:44 AM6/5/17
to qubes...@googlegroups.com
that for me, that flag was only present in /boot/efi/EFI/qubes/xen.cfg
and it does not seem to require rebuilding grub to work. I didn't see
that location discussed here https://www.qubes-os.org/doc/usb/ under
"Removing a USB qube" either.
Now, to see if I can get the luks challenge response working rather
than just a static password ...
Joe
Aug 28, 2018, 1:37:33 PM8/28/18
to qubes-users
On Monday, 5 June 2017 00:33:44 UTC-4, wrote:
> On Sun, 4 Jun 2017 22:29:57 +0200
>
> On Sun, 4 Jun 2017 22:29:57 +0200
>
If you're still interested.
This solution works great with Yubikey (chal/resp mode), with sys-usb running as your USB Qube.
It temporarily allows USB devices during the boot up when it asks for a password (challenge) or the LUKS passphrase. Once done, it then unbinds the USB PCI devices from Dom0, so the USB qubes can handle USB devices as it should.
Reply all
Reply to author
Forward
0 new messages