Hey all,
I recently purchased some yubikeys (5 series) and have been thinking of using them for my Linux machine.
Have any of you done this before? I’m not sure how complicated this is to set up. Im far from a power user.
Is this even worth it? If set up properly, would it be impossible to decrypt a drive without access to both password and passkey?
This page may be of use YubiKey - ArchWiki, it would probably be complex to set up though…
I’ve considered this and it seems like a pain in the ass.
I believe the implementation used is HMAC challenge-response. This is a problem because yubikeys only have two slots, only one can be used for challenge-response.
There’s also another implementation called HSM but I haven’t looked into it.
The reason I hesitate doing this is because it relies on things that are out of my control. It relies on system time being synced with the key, for example. There’s a lot of moving parts, and I don’t trust it enough.
My preferred implementation is a static password. With a yubikey you can configure up to two static passwords (they share the same slots with challenge-response, but you can have one of each or two static passwords only).
Bonus tip, use a short, memorised password / phrase in addition to the static password. This way it’s two-factor (something you have, and something you know).
An alternative could be to encrypt your home directory and then use the PAM yubikey module to authenticate and then decrypt it.
Note: i have never done this myself, so this is speculation on my part.