I did not think I would get anywhere with such requests/research, but at least I managed to find fruit with this topic. It appears that MFA on external storage media device (CDs/DVDs/USBs) has been reportedly done recently. Of course, I found out after research on password/MFA encryption of CDs/DVDs/USBs. I also tried to get a MFA prompt working on a bootloaded OS hard disk. Took trial and error (messed with the default hard disk encryption from the OS installation, best to just leave it alone), but managed to produce this interface. The restriction on MFA input is in the works. I think I succeeded in key slot control. What still eludes me, is that any MFA device would work like a blank/master key. Sure, maybe the first few tries, the prompt would block incorrect MFA devices, but something happened to cause it to knock over.
I won’t elaborate the details because with such encryption methods, carries a degree of risk in terms of acts and outcomes.
Password Encryption of External Storage Media Device
https://askubuntu.com/questions/706585/cryptsetup-cannot-wipe-header-on-device
https://askubuntu.com/questions/706585/cryptsetup-cannot-wipe-header-on-device/1185737#1185737
create an encrypted dvd with squashfs and luks · GitHub
Create .sqfs Image File of Data for Image File Encryption
# mksquashfs /set/user/directory/directories/directory/ (source directory path) /set/user/directory/directories/directory/image.sqfs (destination directory path of file)
Notice that you cannot open the .sqfs image file with an file archiver. That's a precedence of pre-encryption. A pun on being punctual, is it?
Encrypting .sqfs Image File of Data for Image File Encryption
# truncate -s +8M /set/user/directory/directories/directory/image.sqfs
Not sure of the parameters, but will figure it out. Am pretty sure that LUKS format is implemented during encryption.
# cryptsetup reencrypt --encrypt --type luks2 --resilience journal --reduce-device-size 8M --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 5000 --verify-passphrase /set/user/directory/directories/directory/image.sqfs
# (passphrase)
Writing Encrypted .sqfs Image File into Unencrypted/Decrypted External/Removable Blank Non-OS Data/Metadata/Information/File/Directory/Disk_Partition/Disk_Volume/Storage_Media_Device
Too much detail, but you basically write the encrypted .sqfs file into the CD/DVD/USB with wodim/growisofs/dd. Don't forget to sync.
If you wanted to open the storage media device by terminal command, I won't disclose such information due to the fact that most GUI can activate the password prompt.
By this time, you should be able to encrypt written images to CDs/DVDs. It's like those media CDs like back in the 90s. I don't think the prompt works on Windows though, couldn't be sure.
If you wanted to wipe the password encrypted CD/DVD/USB in question, you can. Just remember to use the urandom data type for optimal performance.
MFA Encryption of Password Encrypted External Storage Media Device
YubiKey All The Things | Functionally Paranoid
YubiKey All The Things | Functionally Paranoid
GitHub - cornelinux/yubikey-luks: Two factor authentication for harddisk encryption
https://web.archive.org/web/20250531053244/https://github.com/cornelinux/yubikey-luks
ykpersonalize.1
ykpersonalize.1
You will need to password encrypt the CD/DVD/USB in order to create a encrypted partition for MFA.
Writing YubiKey MFA Protocol into Encrypted External/Removable Written Non-OS Data/Metadata/Information/File/Directory/Disk_Partition/Disk_Volume/Storage_Media_Device
terminal command# sudo apt-get install yubikey-personalization
Insert YubiKey MFA device in USB drive slot.
terminal command# ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
terminal command# y
Hold YubiKey MFA device in USB drive slot until process is done.
terminal command# sudo apt-get install yubikey-luks
terminal command# sudo gedit /etc/ykluks.cfg
In /etc/ykluks.cfg file, type down the next # indented lines in it.
.
.
.
#WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase"
WELCOME_TEXT=""
#(your password will be hashed with sha256 algorithm before using as challenge for yubikey)
set HASH=1 option
#(implements 2FA protocol)
YUBIKEY_CHALLENGE=""
.
.
.
Save and close the /etc/ykluks.cfg file.
terminal command# sudo update-initramfs -u
Insert the encrypted USB device into the USB drive slot.
terminal command# sudo cryptsetup luksDump /dev/sdb
Determine the YubiKey MFA device's key slot identity number.
terminal command# sudo yubikey-luks-enroll -v -d /dev/sdb -s 1
Insert YubiKey MFA device in USB drive slot.
terminal command# (password)
terminal command# (password)
terminal command# (password)
Hold YubiKey MFA device in USB drive slot until process is done.
Now, it's time to seal off any further YubiKey encryption options. Note that you will not be able to register addition YubiKey encryption to the storage media device in question.
terminal command# sudo cryptsetup luksDump /dev/sdb
Determine the YubiKey MFA device's key slot identity number.
If you got a key slot number 0 and 1, follow the next line. Otherwise, skip the next line.
terminal command# sudo cryptsetup luksRemoveKey /dev/sdb -S 0
terminal command# (password)
terminal command# sudo cryptsetup luksDump /dev/sdb
Determine the YubiKey MFA device's key slot identity number.
If you got only one key slot number, chances are that it is the one with the YubiKey protocol in effect.
Now for the test!
Umount and eject the MFA encrypted USB device in question, from the USB drive slot.
Insert the MFA encrypted USB device into the USB drive slot. You can see that authentication by GUI is not possible. Passphrase prompt will only inform the user about a incorrect entry value, nothing more. It's time to use something other than normal means.
terminal command# yubikey-luks-open -v -d /dev/sdb -n (some_nickname)
Insert YubiKey MFA device in USB drive slot.
terminal command# (password)
Hold YubiKey MFA device in USB drive slot until process is done.
If MFA decryption go smoothly, you can now access the contents of the MFA encrypted USB device. Cool.
Note that not all MFA devices are fool-proof. Some of them might have faculties in errors, to the point of a possible lockout. I suggest to consider updates, upgrades, and other countermeasures.
MFA Encryption of Internal Storage Media Device
YubiKey All The Things | Functionally Paranoid
YubiKey All The Things | Functionally Paranoid
GitHub - cornelinux/yubikey-luks: Two factor authentication for harddisk encryption
GitHub - cornelinux/yubikey-luks: Two factor authentication for harddisk encryption
ykpersonalize.1
ykpersonalize.1
yubikey-luks initramfs unlock script does not work on Ubuntu 24.04 LTS · Issue #95 · cornelinux/yubikey-luks · GitHub
crypttab(5) — cryptsetup — Debian bookworm — Debian Manpages
crypttab(5) — cryptsetup — Debian bookworm — Debian Manpages
https://unix.stackexchange.com/questions/777798/does-crypttabs-key-slot-option-mean-luks-will-try-that-keyslot-only-or-fi
boot - Does crypttab's "key-slot" option mean LUKS will try that keyslot "only", or "first"? - Unix & Linux Stack Exchange
https://unix.stackexchange.com/questions/777798/does-crypttabs-key-slot-option-mean-luks-will-try-that-keyslot-only-or-fi/777800#777800
boot - Does crypttab's "key-slot" option mean LUKS will try that keyslot "only", or "first"? - Unix & Linux Stack Exchange
This is where I hit the writer’s/researcher’s block. I couldn’t really get the correct MFA device to hit center with the MFA prompt. I just get blank/master key bypass after a few MFA brute force attempts.
terminal command# sudo apt-get install yubikey-personalization
Insert YubiKey MFA device in USB drive slot.
terminal command# ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
terminal command# y
Hold YubiKey MFA device in USB drive slot until process is done.
terminal command# sudo apt-get install yubikey-luks
terminal command# sudo gedit /etc/ykluks.cfg
In /etc/ykluks.cfg file, type down the next # indented lines in it.
.
.
.
#WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase"
WELCOME_TEXT=""
#(your password will be hashed with sha256 algorithm before using as challenge for yubikey)
set HASH=1 option
#(implements 2FA protocol)
YUBIKEY_CHALLENGE=""
.
.
.
Save and close the /etc/ykluks.cfg file.
terminal command# sudo update-initramfs -u
terminal command# sudo gedit /etc/crypttab (if you want to boot the firmware and bootload the specified OS storage media device. Note that I said bootload a OS hosting device, empty device will delay bootload time of all OS with /etc/crypttab reference, by 1 minute and 30 seconds).
In the /etc/crypttab file, leave the first line as uncommented, which is the original hard disk encryption command, as it is fixated to keySlot 0 of hard disk. It is okay to feel uncomfortable to omit this command, just leave it alone. The thing to be careful about is the keyslot parameter. Only one value is said to permitted for this parameter. I tested the parameter as assumed incremental order of sequence. This restriction is intended for performance optimization, but it turns out to be a excellent MFA component. Note that MFA prompt may or may not crash the bootload of drive at times.
In the /etc/crypttab file, type down the next indented line in it.
.
.
.
#crypt_root UUID=#-#-#-# none luks,discard,keyscript=/usr/share/initramfs-tools/scripts/osk-sdl-keyscript,initramfs
crypt_root /dev/(encrypted_luks_partition) none ciper=serpent-xts-plain64,size=512,hash=whirlpool,key-slot=1,verify,luks,initramfs,keyscript=/usr/share/yubikey-luks/ykluks-keyscript
.
.
.
If you are going to MFA a inactive OS disk (partition), remember to input the correct disk (partition) directory (e.g. /dev/sda).
Save and close the /etc/crypttab file.
terminal command# sudo update-initramfs -u
terminal command# sudo cryptsetup luksDump /dev/sdb
Determine the YubiKey MFA device's key slot identity number.
terminal command# sudo yubikey-luks-enroll -v -d /dev/sdb -s 1
Insert YubiKey MFA device in USB drive slot.
terminal command# (password)
terminal command# (password)
terminal command# (password)
Hold YubiKey MFA device in USB drive slot until process is done.
You cannot remove the original hard disk encryption from the OS installation. That default prompt is hardcoded into the OS. In addition, its uses of keySlot 0 is hardcoded into the OS as well.
Now for the test!
You may test the MFA prompt by reboot of hard disk, or access to inactive state of hard disk with another OS user session (refer to "+Writing YubiKey MFA Protocol into Encrypted External/Removable Written Non-OS Data/Metadata/Information/File/Directory/Disk_Partition/Disk_Volume/Storage_Media_Device" subsection for details about the terminal command).
Reboot MFA encrypted hard disk in question.
The passphrase prompt should first appear.
Input the passphrase of the respective keySlot 0.
Upon correct passphrase entry value, the MFA prompt should appear after passphrase prompt authentication.
Input the passphrase of the respective keySlot 1.
Upon correct passphrase entry value, the MFA prompt will request for verification.
Insert YubiKey MFA device in USB drive slot.
Input the passphrase of the respective keySlot 1 again.
The MFA prompt will verify the input entries, you have a JIT protocol to follow the next line's instruction.
Press the inserted YubiKey MFA device button for MFA activation.
Press the inserted YubiKey MFA device button again for MFA input.
Hold YubiKey MFA device in USB drive slot until process is done.
YubiKey MFA device should input its own MFA value.
If MFA decryption go smoothly, you can now access the display manager of the hard disk's OS. Cool.
Where I hit rock bottom is getting the encrypted partition of the OS hard disk to work with its unencrypted partition counterparts. It’s either that, or I miss something for correct MFA decryption. That said, I say that a full encryption of OS hard disk volume would be a better idea. The thing is that such a thing hardly exist in practice. I tried a full encryption of a Hyperbola GNU/Linux-libre OS, but the GNU Grub bootloader couldn’t handle such a task, especially with the constraints of the GNU/Linux-libre kernel.
So there you have it, MFA encryption at its pit stop. Reason why I posted my findings here than anywhere else, is because I don’t think the developers are exactly GNU/Linux compliant in standard. Plus, I might get some fine tuning work done by letting Purism know of such progress. Maybe the problem is OS or machine specific? Who knows? Anyways, I know it’s a half-baked find. Would wish to MFA encrypt the inactive state of a OS hard disk. Maybe I asked for too much in the world full of surveillance?
With such a long post, I thought I share some break songs (‘Carry on Wayward Son’ and ‘Free Bird’).