This is the master branch of nixpkgs, initially pulled from commit 8debf2f9a63d54ae4f28994290437ba54c681c7b
The intent of this repo is to be merged onto nixpkgs master. This will also be of help for https://git.suyu.dev/BoomMicrophone/suyu-nix-test
which I will need in order for development (it will also be helpful to know what to do for setting up the environment for the master server. Currently I am focusing on this so I can actually see what is still missing)
This repo will be removed once the PR to the nixpkgs github goes through
407a770161
'YubiKey Integration for Full Disk Encryption Pre-Boot Authentication (Copyright) Yubico, 2011 Version: 1.1'.
Used binaries:
* uuidgen - for generation of random sequence numbers
* ykchalresp - for challenging a Yubikey
* ykinfo - to check if a Yubikey is plugged in at boot (fallback to passphrase authentication otherwise)
* openssl - for calculation of SHA-1, HMAC-SHA-1, as well as AES-256-CTR (de/en)cryption
Main differences to the specification mentioned above:
* No user management (yet), only one password+yubikey per LUKS device
* SHA-512 instead of CRC-16 for checksum
Main differences to the previous implementation:
* Instead of changing the key slot of the LUKS device each boot,
the actual key for the LUKS device will be encrypted itself
* Since the response for the new challenge is now calculated
locally with openssl, the MITM-USB-attack with which previously
an attacker could obtain the new response (that was used as the new
encryption key for the LUKS device) by listening to the
Yubikey has ideally become useless (as long as uuidgen can
successfuly generate new random sequence numbers).
Remarks:
* This is not downwards compatible to the previous implementation
|
||
|---|---|---|
| doc | ||
| lib | ||
| maintainers/scripts | ||
| nixos | ||
| pkgs | ||
| .gitignore | ||
| .version | ||
| COPYING | ||
| default.nix | ||
| README.md | ||