Skip to content

This module for dracut allows two factor authentication on LUKS, using only another encrypted volume.

License

Notifications You must be signed in to change notification settings

raffaeleflorio/luks-2fa-dracut

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

luks-2fa-dracut

This module for dracut allows 2FA on LUKS during boot. It doesn't use YubiKey and it doesn't require any special media. All you need is a second LUKS volume. Obviously the latter should be on a removable device (e.g. a SD card) and it should be kept secure to nullify password recorder or shoulder surfer attacks and subsequent clone/steal of the target device/computer.
However this module, like YubiKey, doesn't protect you from physical attack. About this, another layer is needed (for info: https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html). Anyway, in case of emergency, it's easier to destroy the SD card than the drive on your motherboard...

How it works ?

A target LUKS volume will be opened when the user provides a password for another LUKS volume on which there is a key for the first volume. So the user provides "something that has" (e.g. an SD card) and "something that knows" (i.e. the password to unlock the SD card volume).
The relation between the target volume and the keyfile volume is specified with a kernel cmdline parameter:

rd.luks.2fa=UUID=keyfile_uuid:keyfile_path:UUID=target_uuid[:timeout]

These parameters will be translated by the systemd generator into a systemd.service.

How to install/remove ?

Installation

Clone this repo:

$ git clone https://github.com/raffaeleflorio/luks-2fa-dracut.git

You can check commit's signatures using my key: from raffaeleflorio.github.io or from pgp.mit.edu.

Install, a new initramfs will be created with dracut -fv:

# make install

Then you need to configure your LUKS volumes add your rd.luks.2fa to the kernel cmdline through the bootloader file. For example /etc/default/grub if you use GRUB.

Removal

A new initramfs will be created with dracut -fv:

# make clean

SD driver

If you want use SD you should add the mmc_block drivers to the initramfs. You can achieve it with the addition of: add_drivers+=" mmc_block " to /etc/dracut.conf.d/luks-2fa.conf.

About

This module for dracut allows two factor authentication on LUKS, using only another encrypted volume.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published