OpenSC
yubikey-full-disk-encryption
Our great sponsors
OpenSC | yubikey-full-disk-encryption | |
---|---|---|
8 | 16 | |
2,413 | 772 | |
1.9% | - | |
9.6 | 0.0 | |
5 days ago | 5 months ago | |
C | Shell | |
GNU Lesser General Public License v3.0 only | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
OpenSC
- How do you put your private key files (.ppk) on a security key (HYPERFIDO U2F/FIDO2/HOTP) ?
-
Create Your Own Local Root CA With Yubikey Signing
This installs opensc, a library for dealing with Smart Card (essentially what a Yubikey is recognized as) access in a programmatic way. It also installs OpenSSL bindings that interact using the pkcs11 standard. Basically, we won't get very far using a Yubikey for signing without this. The intermediate CA configuration will also need to be updated:
-
You can link an OpenPGP key to a German eID
Well, in Spain you can use your eID directly: https://github.com/OpenSC/OpenSC/wiki/DNIe-%28OpenDNIe%29#up...
-
Enhance your Network Security with Zero Trust and OTP
The OpenSC binary to interact with the Yubikey at command line.
-
Tillitis Security Key – Mullvad spin-off inspired by measured boot and DICE
https://github.com/OpenSC/OpenSC
Note that "production ready" does not equate to "follow a YouTube video and write 17 lines of TypeScript." You need to know Java, you need to know crypto, and you need a few bucks to throw at the appropriate hardware. That said, the entire US DoD is built on JavaCard so it is as production grade as you can get.
-
EU Commission to open source software
Next step. Make sure EU Government paid contractors release source code per LGPL https://github.com/OpenSC/OpenSC/issues/2462
-
How do you store private keys?
I have one of the Nitrokeys and several of the smart cards for various purposes. The software side of using them can be a bit confusing if you're not familiar with HSMs and PKCS#11, but the OpenSC project has a lot of good info to help.
-
Dev Tools I Can't Appreciate Enough
1- PKCS11-Tools by OpenSC
yubikey-full-disk-encryption
- I have seen in a lot of posts here people say not to use Google Authentication for 2FA. Can someone simply explain why, and what should I use instead?
-
LUKS with Yubikey
Would using this be possible? https://github.com/agherzan/yubikey-full-disk-encryption/tree/master/src
-
Getting LUKS, Btrfs, Hibernation and Swap file working in tandem
> Hibernate is less interesting, and apparently unsupported using secure boot anyway.
That's not the case. I have a similar setup to yours (/ on ext4 with separate swap, on LVM on LUKS, separate /efi) and my box hibernates just fine with secure boot and auto-unlock via TPM.
The difference with your setup is I don't use grub, but have the UEFI load a signed unified kernel image directly. Since this works so well, I never had a reason to mess around with yet another moving piece (grub or other bootloader).
As another commenter said, I haven't attempted to mess around with the MOK. I just replaced all the secure boot keys with my own, and I've also signed MS's Windows key (but not the 3rd party one) for my dual-boot needs.
---
For specifics: This is an up-to-date Arch Linux install, running on an HP EliteBook 840 G8 (11th gen intel). I know Debian may have older components than arch, but this setup has been working for more than a year now.
IIRC, the most significant change was brought by systemd 251 which started supporting auto-unlocking LUKS with the TPM. Before that, on an older computer with the same general setup, hibernation worked well, too. I just needed to input the unlock password (which I was too lazy to do, so I just used my yubikey - see https://github.com/agherzan/yubikey-full-disk-encryption).
-
systemd 253 Released With Ukify Tool, systemd-cryptenroll Unlocking Via FIDO2 Tokens
Does yubikey-full-disk-encryption provide anything systemd 253 doesn't now?
-
Tillitis Security Key – Mullvad spin-off inspired by measured boot and DICE
Do you mean something like this: https://github.com/agherzan/yubikey-full-disk-encryption
-
Encrypt data on server (Linux, LUKS) on Raspberry Pi
Full disk encryption is rarely as portable as simply encrypting the files you need. When I ran a “homemade” NAS, I had everything LUKS encrypted. I used a Yubikey to unlock the encrypted data.
-
Using a YubiKey to unlock LUKS - How to secure or encrypt /boot?
A few days ago I akquiriere a Yubikey and I'm currently trying to set up 2FA with the Yubikey and a password to unlock the LUKS container. Since I am running Arch I came across the yubikey-full-disk-encryption package and tested it in an Arch VM. So far it worked really well. The only issue I am having is that compared to my old setup I need to have /boot unencrypted because it seems GRUB itself cannot deal with the 2FA setup and ykfde if /boot is encrypted. Previously I had most of /boot inside the LUKS volume with only the /efi part unencrypted (this is used when telling grub where the efi-directory is - see the previous guide for the full details please) and the GRUB_ENABLE_CRYPTODISK=y option set in the GRUB config.
-
LUKS boot unlock fido2 issue
I don't know about the hanging, I use yubikey-full-disk-encryption which uses challenge-response (1FA or 2FA) which you can set up how many attempts to use the YubiKey before it falls back to the passphrase.
-
Is it possible to crack drive encryption without header?
Related: https://github.com/agherzan/yubikey-full-disk-encryption
-
How safe is encryption?
https://github.com/cornelinux/yubikey-luks or https://github.com/agherzan/yubikey-full-disk-encryption with yubikey 5 will get you going. It is a bit expensive to get two keys (regular and backup), but these can be also used to secure most of the online accounts.
What are some alternatives?
AusweisApp - Der offizielle eID-Client des Bundes.
dracut - dracut the event driven initramfs infrastructure
tpm2-pkcs11 - A PKCS#11 interface for TPM2 hardware
fido2luks - Decrypt your LUKS partition using a FIDO2 compatible authenticator
putty-cac - Windows Secure Shell Client With Support For Smart Cards, Certificates, & FIDO Keys
solokey-full-disk-encryption - Use SoloKey to unlock a LUKS encrypted partition
yubico-piv-tool - Command line tool for the YubiKey PIV application
wireguard-initramfs - Use dropbear over wireguard.
eid-mw - eID Middleware (main repository)
zfsUnlocker - A modular zfs unlocker hook for mkinitcpio on Archlinux.
postman-app-support - Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
void-packages - The Void source packages collection