Awesome

SoloKey Full Disk Encryption

This project leverages FIDO2 hmac-secret extension for creating strong LUKS encrypted volume passphrases. You can encrypt the root OS partition and use solokey to unlock this encrypted partition in initramfs stage during boot process as well as other partitions on running system.

SoloKey uses two inputs, challenge and credential to generate the response. The response will be used as your LUKS encrypted volume passphrase. Apart from SoloKey, other keys are also supported as well.

This was only tested and intended for:

Arch Linux and its derivatives
SoloKey

SoloKey Full Disk Encryption
Table of Contents
Prerequisites
Install
- From Github using 'make'
Configure
Usage
- Format new LUKS encrypted volume using solokey passphrase
- Unlock LUKS encrypted volume protected by solokey passphrase
License
Credits

Prerequisites

Install the dependency tool fido2luks

pacman -S clang cargo git
git clone https://github.com/shimunn/fido2luks
cd fido2luks
cargo install -f --path . --root /usr

If you get the error in rust error: no default toolchain configured, please run the below command.

rustup install stable
rustup default stable

Warning: It's recommended to have already working encrypted system setup with encrypt hook and non-solokey passphrase before starting to use skfde hook with solokey passphrase to avoid potential misconfigurations.

Refer here for Arch Linux installation with LUKS.

Install

From Github using 'make'

git clone https://github.com/saravanan30erd/solokey-full-disk-encryption
cd solokey-full-disk-encryption
make install

Configure

Create SoloKey credential

Plug the solokey and run the below command,

skfde-cred

You need to pass the solokey pin to authenticate the solokey and then press the solokey button to generate the credential.

~]# skfde-cred
Generate the SoloKey credential
Enter the SoloKey PIN: <pass pin>
Remember to press the SoloKey button if necessary
SoloKey credential : <credential>

Edit /etc/skfde.conf file

Open the /etc/skfde.conf file and adjust it for your needs.

Example:

Provide the LUKS encrypted device,

SKFDE_LUKS_DEV="/dev/sda3"

LUKS encrypted volume name after unlocking,

SKFDE_LUKS_NAME="luks_root"

Challenge to generate solokey response, it can be text such as alphanumeric.

SKFDE_CHALLENGE="Bugn05DioqvVzQyFYhwD9EhRejXXAci"

Credential used to generate solokey response, use the credential created using skfde-cred.

SKFDE_CREDENTIAL="<credential>"

Enroll solokey passphrase to existing LUKS encrypted volume

To enroll new solokey passphrase to existing LUKS encrypted volume you can use skfde-enroll, see skfde-enroll -h for help:

skfde-enroll -d /dev/<device> -s <keyslot_number>

By default, it uses keyslot 3 if you don't pass -s <keyslot_number>.

skfde-enroll -d /dev/sda3

Warning: having a weaker non-solokey passphrase(s) on the same LUKS encrypted volume undermines the solokey passphrase value as potential attacker will always try to break the weaker passphrase. Make sure the other non-solokey passphrases are similarly strong or remove them.

Enable skfde initramfs hook

Edit /etc/mkinitcpio.conf and add the skfde hook before or instead of encrypt hook as provided in example. Adding skfde hook before encrypt hook will allow for a safe fallback in case of skfde misconfiguration. You can remove encrypt hook later when you confirm that everything is working correctly.

After making the changes, run the below command to regenerate the initramfs.

skfde-load

Reboot and test your configuration.

During the boot process, it will pause and you need to pass the solokey pin to authenticate the solokey. Then press the solokey button.

Usage

Format new LUKS encrypted volume using solokey passphrase

To format new LUKS encrypted volume, you can use skfde-format which is wrapper over cryptsetup luksFormat command:

skfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/<device>

Unlock LUKS encrypted volume protected by solokey passphrase

To unlock LUKS encrypted volume on a running system, you can use skfde-open script, see skfde-open -h for help.