-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yubikey-luks initramfs unlock script does not work on Ubuntu 24.04 LTS #95
Comments
Do you have Does Can you unpack created initramfs and check if Also does passing |
Hi, ad) cryptsetup-initramfs yes, it is installed in version: (2:2.7.0-1ubuntu4) ad) sudo update-initramfs -u ad) unmkinitramfs /boot/initrd.img-$(uname -r) initramfs/
ad)cryptoptions=target=cryptroot,source=/dev/nvme0n1p3,keyscript=/sbin/ykluks-keyscript |
Ok, so what exactly happens when you boot the OS and want to decrypt the drive? what is shown on the screen? |
Does it fallback to console mode when you hit yubikey-luks welcome message is Please insert yubikey and press enter or enter a valid passphrase" on your photos there is different text, looks like something else is running than yubikey-luks? |
It indicates yubikey-luks isn't started for some reason |
I tested ubuntu 24.04 and didn't observe any change of yubikey-luks initramfs script than before. |
So you were able use yubikey-luks initramfs script on new install of 24.04? I took yet another system today (NUC 6i5syh) did clean new default install (except disk is LVM encrypted obviously) both with 24.04 and 24.10, did only apt-get install yubikey-luks -y and rebooted. None of 3 physical systems an one VM I tested worked. |
I did upgrade from 22.04. I don't see why it would be different on fresh installation - initramfs is created against 24.04 tooling. I also don't see similar bugreports for ubuntu or debian made by other users. I guess this one is yours. Since there is no trace yubikey-luks is running in initramfs and you see it being part of created initramfs the only explanation I can made is for some reason you boot with different kernel+initramfs image than what's created. What's the mount-point of your EFI partition? Is it mounted while you're running system? You may add |
Hi,
on clean new installation of Ubuntu 24.04 yubikey-luks initramfs unlock script does not work.
after insatlation (sudo apt-get install yubikey-luks -y)
I am able to enroll keys in key slots. (both for default system partition (/dev/nvme0n1p3), and for external USB pen drive I used for test /dev/sda3). with yubikey-luks-enroll.
I am able to use yubikey-luks-open for external pendrive (/dev/sda3) I used for testing.
So making key slots and using chalange-responses from yubi keys works.
However after reboot of system OS in LUKS unlock screen, no yubikey-luks welcome text is shown and unlock for keyslots containing enrolled keys are not working. Only those I made with luksAddKeys and therefore with passwords only are working.
I am using same laptop as for previous 18.04-23.10 where everything worked ok. (Dell XPS 13 9350)
Did not work first time (depending on automaticall add keyscript to crypttab - that worked for me before)
Did not work after manual sudo update-initramfs -u
Did not work after adding to /etc/crypttab cryptroot /dev/nvme0n1p3 none luks,keyscript=/usr/share/yubikey-luks/ykluks-keyscript and doing sudo update-initramfs -u again.
Both yubikeys NFC5c I have are initialized for ch-response (ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible)
Thanks in advance for any advice, thx.
The text was updated successfully, but these errors were encountered: