Follow

I backed the Solo Key on Kickstarter and it should be coming soon.

solokeys.com/

I'm curious if I can use that to unlock a LUKS encrypted disk on Linux (specifically Ubuntu). Can't seem to find anything on that.

Anyone used FIDO2 and LUKS?

@ted There have been projects to add this, but its not available by default.

github.com/cornelinux/yubikey- is one that comes to mind. i know this is yubikey specific but iirc fido2 should be the same between implementations just maybe with some different endpoints.

@ted i may be wrong but this also looks like its using challenge/response (or worse, static key). so i dont think thats fido2, its relying on a feature of the keys programmable slots.

@chuck yeah, probably to support the older Yubikeys.

Though, I have a couple of those from UDS...

@chuck I used to a lot more. Then I switched a lot of things over to TOTP in my password manager.

I'm planning to use the Solokey over to opening up my password manager.

I'd love to use it for full disk encryption as well. But, not sure how to do that.

@ted FIDO/U2F requires (1) server mediated access and (2) an uncompromised client to be useful

It does not help at all for disk encryption unless you're putting the custom key storage & challenge verification on the disk itself

@riking yes, but that'd be more secure than a passphrase though, right?

@ted your primary concern for full disk encryption is offline attacks, i.e. someone has already stolen the drive

If you're storing the decryption key inside the drive's memory.... you get nothing.

This is why a security key hosted static secret is reasonable, but best when augmented with a password

@riking you'd be storing the key to decrypt the drive and the key used to encrypt it. You'd then be sending the drive's key to the USB device to decrypt it. So even if the drive is stolen you'd not be able to decrypt the drive because the key is encrypted. You'd be able to encrypt new keys, but that's not really useful.

@ted a friend point me to onlykey.io/ when I was complaining about the delays to the solo key ;)

@paperdigits yes, actually talking about that in a chat is what got me to looking at using the Solo Key with LUKS. It seems like it'd be easy to implement a pretty secure passphrase based boot with that.

Just for ease of use, might be worth carrying two keys.

@ted Did you ever find a nice way to use the Solo Key with LUKS (presumably a static secret key stored on the key, or encrypted, stored on the disk, but decrypted by the key)?

@nick_cripps no, but I haven't played with it much. Mostly looked for other people who've solved the problem, which there doesn't seem to be. Gonna have to find the time to do it myself it seems.

@ted I've ordered myself a hacker version of the SoloKey with a view to doing some development myself, having concluded it doesn't have options to do the things we need to buy it for work yet. I'd like to store GPG, SSH and LUKS keys on it. Let me know if you start on any of these, and I'll let you know if I do, and what progress (if any) I make.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!