Smart Card LUKS decrypt: Infinite tries for PIN?

A while ago I set up my LUKS decryption with the Librem Key according to the official documentation. I was recently testing some settings and fallbacks and noticed that I can try as many times as I want entering a wrong PIN, the Librem Key never gets blocked. Neither does another smart card (yubikey) that I tested, so this doesn’t seem to be Librem Key related.

Is there a reason why the PIN counter does not seem to matter? Or do I have something weird set up? I also tried it with a fresh yubikey and a virtual machine - same thing happened.

I guess my question would be: Why does my smart card not lock when I enter the PIN wrong 3 times?

1 Like

Did the correct PIN work after that though?

Yes it did, sorry for not mentioning this before. That wad of the shocking thing.

If I use the

`gpg —card-edit`

Tool and use verify to check the PIN, then enter a wrong PIN, I can see the counter go down. But that seems not to be the case with the login window. Can somebody test this on the log in?

I never could understand exposing oneself to DOS by locking out after few (few hundreds, if you will) attempts. Rate limiting handles this good enough, and the smart card can impose rate limiting.


Is it possible that there are 2 different PIN’s at play here?

My understanding is that with yubikey-luks when you setup the PIN (or passcode) + key to decrypt this PIN (or passcode) is separate from the Edit PIN for the key and is really more like a SALT that gets hashed with the OTP from the key to decrypt and in turn there would be no trial limit.

It is also my, potentially flawed, understanding that the hardware keys have the edit PIN which is used to make changes to the key but is completely independent of using the key for normal verification.

Again this is my understanding of how this works but I am far from an expert and in turn am asking if this is possible NOT saying this is what’s happening.

Not sure what you mean by that, you would not be locked out, you would only be locked out if you don’t have an alternative scenario to decrypt the drive. The way Purism’s script sets it up with the Librem Key is that you still have a passphrase (hopefully a good one) to fall back onto.

Rate limiting is fine I guess, but I don’t understand why I would not want to only have 3 tries for the PIN and then the card for the user PIN is locked.

Librem Key users OpenPGP v3.3, the YubiKey I have v2.1. They are set up the same way with respect to LUKS decryption: Set it up with the Librem Key and above mentioned script and simply added the GPG key to the Yubikey as well so I have a backup. So I’m not asking about the yubikey-luks specific decryption method, in fact, I don’t know a lot about this.

I’m not fully sure I follow here, could you elaborate?

I can try.

My yubikey has an edit pin and a reset/admin pin

When I configured my key I used the edit pin to perform all actions and can use the reset/admin pin to reset the edit PIN.

When I had setup my yubikey to decrypt the LUKS partition on my Debian system I had to set up a PIN/Passcode that I put in before pressing the “button” on my yubikey. This PIN/Passcode was different than the PIN I used when setting up the yubikey. (Even though it’s different I’m pretty sure it’s similar enough for comparison sake, but this is where the potential for my not properly and completely understanding what’s going on may be an issue)

Yes I know yubikey-luks is different than smartcard-key-luks, but I think they are similar; though I could be wrong.

And yes my experience, is likely different than yours, I’m just asking questions to see if my experience was similar enough to help.

@OpojOJirYAlG I assume you used this to decrypt LUKS? Looks like this works fairly different from the GPG way. Looks like an interesting way by itself too.

Using the GPG way the advantage for me at the moment is that I can decrypt with the Librem Key and with the Yubikey if I need to. So if I don’t have the Librem key for some reason I can boot using HOTP and then decrypt with my Yubikey.

Thanks for pointing the Yubikey LUKS out to me though!

1 Like