Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you are physically present but the device is operating headless, and if using LUKS and GRUB, you can use a hardware token such as YubiKey via USB to unlock the device without needing to see the console.

I do this with a gateway/router on a PC Engines APU2 that has an internal SSD.

Just ensure GRUB includes the requisite USB modules in its core image, or use grub-mkstandalone to include all modules in core.



Please don't do this unless you have a backup yubikey with the same key on it..


The Yubikey setup program specifically tells you not to rely on a single key for anything.


Even with LUKSv1 there are seven key slots. On creation generally the first will be a keyboard-entered pass-phrase, then one might add a key-file, and then add the hardware token as another.

With LUKSv2 the seven slot limit doesn't apply.

For headless GRUB is configured to the serial port for its terminal in/out so a passphrase can be typed.


Or all state-full data is securely backup up of course.


What are the benefits of encryption here?

If hardware is stolen it will have hardware key attached.

It is similar to having unencrypted ssd.

Also, someone can temporarily remove the yubikey, fetch the decryption key then place it back.


> hardware key attached

Key is on my keychain. not attached to the box. I don't need to unlock it remotely. I want to be there and plug my key and touch it and yank it.

> Also, someone can temporarily remove the yubikey, fetch the decryption key then place it back.

If implemented correctly. Nobody can. An encrypted LUKS key would be sent to the yubikey and have it decrypted there. Not the other way.


Ah, I missed that use case, nice idea




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: