Yubikeys are now supported
Simon Josefsson
simon at josefsson.org
Mon Oct 25 12:29:20 UTC 2010
Paul Wouters <paul at xelerance.com> writes:
> On Fri, 8 Oct 2010, Nathanael D. Noblet wrote:
>
>> On 10/07/2010 10:58 PM, Paul Wouters wrote:
>>> One usage of yubikey I would like very much is as storage for the AES
>>> encryption key for disk encryption. I'd prefer the disk crypto key to
>>> not be on the disk at all, protected by just a passphrase. It would be
>>> nice to have it on a yubikey instead.
>>
>> I just ordered a yubikey for this express purpose, we have a product
>> under development that has an encrypted partition that gets decrypted by
>> a key on a USB thumbdrive - not the best... When I saw these I
>> immediately thought I should see about getting them used to unlock
>> encrypted partitions!... I'll keep you informed.
>
> Note that yubikeys are not (yet) usable for this. You cannot request the
> AES key from it (AFAIK), only an OTP. And the OTP can also not be used to unlock
> an AES key on the harddisk because it is different for each activation.
The YubiKey with firmware 2.2 (latest) supports an challenge-response
HMAC-SHA1 mode that probably can be used for this. You feed a pass
phrase to the YubiKey, and it responds with a static string generated
from the pass phrase using HMAC-SHA1. It will be the same output every
time if the input is the same. The output would then be used as the
encryption key. Of course, you still need to trust the software on your
machine to not leak the HMAC-SHA1 output..
If anyone is trying something like this, I'm interested to hear about
progress. Encrypting disks assisted with an external device is
something I'd like to see.
/Simon
More information about the devel
mailing list