Following instructions enable 2FA via Yubikey challenge-response for Debian root native encrypted ZFS.
For general setup please follow the instructions in the OpenZFS Documentation.
Install management tools.
$ apt install yubikey-manager yubikey-personalization
Set up slot 2 in challenge-response mode with a generated key and enable touch to generate a response.
$ ykman otp chalresp --touch --generate 2
Create the zfs-initramfs hook /etc/zfs/initramfs-tools-load-key.
trap 'stty echo' INT
stty -echo
printf "ZFS rpool challenge: "
read CHALLENGE
stty echo
printf "\n"
echo $CHALLENGE | ykchalresp -2 -i- | $ZFS load-key "${ENCRYPTIONROOT}"Create the initramfs-tools hook /etc/initramfs-tools/hooks/yubikey-zfs
#!/bin/sh
set -e
PREREQ="zfs-initramfs"
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/bin/ykchalresp
copy_exec /usr/bin/ykinfo
exit 0$ update-initramfs -u -v
$ echo $CHALLENGE | ykchalresp -2 -i- | zfs change-key rpool
I regret your set up will not work.
I checked the related
zfs-initramfsscript/usr/share/initramfs-tools/scripts/zfs, if it doesn't find theencryptionrootfrom the zfs dataset presented in the kernel cmdline optionsroot=ZFS=rpool/ROOT/debian, it will not run the above hook.Put simply, the entire pool must be encrypted.
For further info see
/usr/share/doc/zfs-initramfs-2.3.3/README.md.gz.