Full Disk Encryption with yubikey

My reason for writing this utility is to support Full Disk Encryption using a hardware key like the yubikey. Normally, the applications doing that pull in a pretty tall stack of code - a USB library, a smart card library, possibly requiring an access broker for card readers, the actual card driver, plus a crypto library.

That is quite a lot, even if you're just considering a systemd-boot based scenario where you can copy your boot time environment to initrd. However, the amount of code you depend on becomes prohibitive if you think about adding this code to a boot loader like grub.

Fortunately, the actual code required to make this work is much smaller. It turns out that you can do it in 3167 LoC.

Goal for this Hackweek

Write a minimal utility that is capable of decrypting a small secret using a yubikey device.


Status as of this week: A working demo exists, code is available from https://github.com/okirch/utoken-decrypt

Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 22


  • over 1 year ago: dmdiss liked this project.
  • over 1 year ago: okir started this project.
  • over 1 year ago: okir originated this project.

  • Comments

    • dmdiss
      over 1 year ago by dmdiss | Reply

      I really like how you bypassed libusb for this - should make porting to bootloaders a little less painful :)

    Similar Projects

    This project is one of its kind!