Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:36 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Sun Aug 31, 2014 9:14 pm 
Offline

Joined: Sat May 17, 2014 2:16 pm
Posts: 1
I'd like to encrypt my Mac but I'm also a bit concerned about whether or not it will even work... (The latest post I can find on Yubico support boards is from 6 months ago.)

Can this be done yet? If so, could Yubico produce an EXPLICITLY DETAILED instruction set? (I only ask for explicit instructions because 6-9 months ago I tried this and nearly lost access to all my data. Rather than me figuring this one on my own (via several calls to Yubico tech support) I'd think a runbook would be the easiest/best path for Yubico customers. I can't be the only person who wants to do this...)


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Nov 04, 2014 4:04 pm 
Offline

Joined: Thu Aug 22, 2013 9:48 am
Posts: 19
I would also like to see this.
However, I can not see how this would be implemented. A mac can have a network connection before booting an encrypted drive but I think that it is not available for users to play with, and is probably only available for remote booting and so on.
Do note that this is plain speculation on my part. For some reason storing a static password in one slot of the yubikey and decrypting the drive that way does not work for me but has been reported to work, so that could be one option for you.
It's always a good thing to let apple know that support for yubikey should be implemented in the OS so donĀ“t forget to mail them and let them know.

And remember Anyone who thinks that they are too small to make a difference has never tried to fall asleep with a mosquito in the room :-)


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 10, 2014 11:21 am 
Offline

Joined: Mon Nov 10, 2014 11:15 am
Posts: 2
It is quite easy to to set up your yubikey with the FileVault in OS X. You just use a static password preferably in combination with a short password you remember to create something similar to 2-factor.

Only thing that is very important is that you change the speed of the yubikey to 40ms otherwise the pre-boot authentication does not work. You can do that in the settings or tools tab of the personalization tool.


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 24, 2014 1:48 pm 
Offline

Joined: Thu Aug 22, 2013 9:48 am
Posts: 19
mortenbendtsen wrote:
just use a static password preferably in combination with a short password you remember to create something similar to 2-factor.


Thank you sir! That is awesome, I had not realized this. I was kind of disappointed that I was forced to use a static password to unlock FileVault2 but with your idea I can use a static password, remove the enter key and just add my own short one on the end of it. That is great! Now I don't need to be afraid to loose my yubikeys :-D


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 24, 2014 1:51 pm 
Offline

Joined: Mon Nov 10, 2014 11:15 am
Posts: 2
skitapa wrote:
mortenbendtsen wrote:
just use a static password preferably in combination with a short password you remember to create something similar to 2-factor.


Thank you sir! That is awesome, I had not realized this. I was kind of disappointed that I was forced to use a static password to unlock FileVault2 but with your idea I can use a static password, remove the enter key and just add my own short one on the end of it. That is great! Now I don't need to be afraid to loose my yubikeys :-D


Personally I keep the enter at the end and add my own short password at the beginning of the password, but that is a matter of preference.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 13, 2015 3:12 pm 
Offline

Joined: Wed Jan 14, 2015 11:34 am
Posts: 24
IMO using static password with Yubikey completely defeats security

IF you just use the static password, insert the Yubikey during boot, press the key, then put it back on your keychain, it could have some benefit (like having a much longer/harder to crack password)

BUT

IF you use the Yubikey for anything else, you are bound to hit it from time to tame, pasting your password into whatever you're doing (like your terminal where it will show up in .bash_history unless erased) - this allows the password to show up in keyloggers, history, remote servers - wherever it ends...

It's a convenience feature, replaceable by a BatteryHorseStaplePassword easily.

What would make sense is using the smartcard component to store the private key for the FDE encryption.
With FileVault, this is impossible by design as the private key is stored on the drive and encrypted with passwords, but it "could" be possible to encrypt this private key with yubikey's key, thus having no password at all, and cracking key encryption is much harder (IMO?) than cracking a password for a key.
- This is however impossible at the moment, and would likely need support built-into the EFI firmware from Apple.

A different story is with encrypted images - those can be encrypted with a keychain-backed key, so you could use a Yubikey as a smartcard to protect some of your data - it's not FDE though so usability and security will suffer, but not by that much.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 08, 2015 11:41 am 
Offline

Joined: Wed Jul 08, 2015 11:29 am
Posts: 4
Hi all,

We use slot 2 with a static key, which is generated randomly at whatever length you need.

We then use this as dual authentication to allow users to login and unlock their screen saver.

While the static token isn't ideal, it is needed as the authentication mechanism needs to know what the key is to allow 2 factor authentication to work. Also if you use file vault on a mac or another encrypted platform the token is securely locked away until the user un-encrypts the drive.

I am currently looking at how we can use the static token to unlock FileVault as well.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 08, 2015 12:48 pm 
Offline

Joined: Wed Jul 08, 2015 11:29 am
Posts: 4
OK so after apply my brain for more than 2 seconds i realised that its not possible to get the YubiKey to unlock the filevault as the entire disk is encrypted.

As this is Apple there is also no public TPM in which you can store key data etc in therefore I do not believe that it is possible at present to achieve this.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group