(Note that Travis builds are failing due to an upstream blocker).
This project aims to provide reliable full-disk-encryption using Yubikey challenge-response functionality.
A challenge is generated and stored on the machine to be encrypted. This challenge is sent to the Yubikey
which contains a secret key. The Yubikey returns SHA1(HMAC(key, challenge)) as the response, and this
response is used as a LUKS key.
Then yubikey-fde and its systemd units are included in the initial initramfs. Running systemd in
the image is a dependency because this tool is tailored towards it.
Once systemd encounters an encrypted device it will request a password, this request is picked up by
the application and if a) a challenge file is present and b) a Yubikey is plugged in the tool will
perform the challenge-response and respond to systemd. In case of this failing, systemd will still be
sending its password request to the console so that a recover is possible with a key from a different key
slot.
If you are on ArchLinux, you should be able to just run makepkg. You will need to have rust as well as
cargo-bin and yubikey-personalization-git from AUR installed.
On RPM-based distributions (tested on CentOS 7) you can use the yubikey-fde.spec to build a package with
rpmbuild. Please note that Rust is not yet in any repositories so I could not add a build dependency for
it to the spec, make sure you have Rust (and Cargo) installed before attempting to build.
This will be fixed once a package becomes available.
On other systems, ensure you have the equivalents to those dependencies and run cargo build to build the
program. You will need to set up systemd units and initramfs generation manually, though Dracut support
is in the works.
This is intended to replace the programs in mkinitcpio-ykfde.