Tang and Clevis can be used in order to unlock disks over network. This post will not cover all possible ways how to unlock LUKS devices. It will focus on unlocking devices over network if both TPM2 and Tang are available. The disk can only be decrypted if it is still on the same mainboard (connected to the same TPM 2 device) and if the Tang server is reachable. A more complex setup with multiple Tang servers is also possible. ...
In this blog post I will show how LUKS works perfect with FIDO2 devices. You can learn how to setup a LUKS device and then switch from password to a FIDO2 device. This ensures, that not only a password is required but also a hardware device (security factors “Knowledge: Something you know” and “Possession: Something you have”). Test environment setup First we will setup a small test environment. Let’s create a small new (virtual) disk. ...
I recently had to deal with a bunch of Yubikeys. I wanted to reuse them for another purpose and therefore I wanted to factory reset them. This post won’t describe how to factory reset the whole Yubikey. Yubikeys have multiple parts, e.g. slot 1 and 2 and a Smart Card (PIV). During this post you can learn how to reset the Smart Card (PIV) and how to generate and flash a new OpenPGP key. ...