Securing Linux Full Disk Encryption with A Multi-Factor Hardware Token

Linux Unified Key Setup (LUKS) is a powerful disk encryption specification that pairs with the Logical Volume Manager (LVM) to provide full disk encryption on most modern versions of Linux. LUKS based encryption can be secured even further with the addition of a hardware-based two-factor authentication device.

This post will cover how to associate Yubico’s YubiKey hardware token with Ubuntu 18.04. You might need to load additional drivers and make configuration changes if you plan to use your Yubikey with a virtual machine depending on which virtualization software you use.

1)  You will need to use the alternative installer to install Ubuntu Server with an encrypted LVM partition. You can get the alternative installer for Ubuntu 18.04.1 here:

2)  Install Ubuntu Server and make sure to select the option to use an encrypted LVM partition.

3)  When you initially boot Ubuntu Server for the first time, the password prompt will ask for you to “Please unlock disk .” Entering the disk encryption password you set when you installed Ubuntu will decrypt the disk and allow the rest of the boot process to run.

4)  Install the Yubikey LUKS package

sudo apt-get install yubikey-luks

5)  If you haven’t already configured a slot of your Yubikey, you need to configure a slot to store your private key. The ykpersonalize utility has additional options depending on the specific target model of Yubikey. The command below should work on most Yubikeys.

ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible    

6)  We are now going to associate the Yubikey with one of the LUKS key slots. A useful command to find the correct partition to associate keys with is:

sudo cryptsetup luksDump /dev/sda3

/dev/sda3 should be replaced with the device that corresponds to the encrypted partition.


The output of the luksDump command should look similar to the image above once you find the right disk in /dev. The output of the above command shows seven key slots available.

7)  The following command will associate the Yubikey with key slot 1.

sudo yubikey-luks-enroll -d /dev/sda3 -s 1

The utility will first ask for the password you want to use when the Yubikey is present. You will then be prompted to confirm the password. Finally, you will need to provide any of the existing LVM passwords you used to decrypt the disk. You can use the password you set when you setup LVM encryption at the time you installed Ubuntu.

8)  Key slot 1 should now show as enabled when you run the cryptsetup luksDump command.

sudo cryptsetup luksDump /dev/sda3


9)  Steps 7 and 8 can be repeated to associate multiple Yubikeys or even many passwords for the same Yubikey. You might associate many passwords with the same Yubikey if you wanted to add or revoke per-user access using a single token.

10)  You should now be able to use your Yubikey to unlock the disk. The disk decryption prompt at startup now asks for a Yubikey and passphrase. One of the Yubikey and passphrase combos can now be used to unlock the disk.

That’s it! You now have the power of two-factor authentication protecting access to your encrypted hard disk.

Header image from Gill Holgate.