YubiKey-Encrypt

Hardware-backed file encryption using YubiKey and TPM 2.0

Overview

YubiKey-Encrypt provides unbreakable file encryption by combining:

• TPM 2.0 hardware random number generation
• YubiKey challenge-response authentication
• AES-256-CBC encryption
• Automatic cloud backup support

Your files remain encrypted at rest, requiring physical possession of your YubiKey to decrypt.

Features

• 🔐 Hardware-backed security (no passwords to remember)
• 🎲 TPM-generated cryptographic challenges
• 🔑 YubiKey challenge-response authentication
• ☁️ Automatic backup to Dropbox/Google Drive
• 🔄 Multi-YubiKey support for redundancy
• 🗑️ Secure memory handling (uses /dev/shm)

Requirements

• YubiKey with challenge-response configured in slot 2
• TPM 2.0 chip (standard on most modern laptops)
• Linux with tpm2-tools installed
• OpenSSL
• yubikey-manager (ykman)

Installation

# Install dependencies
sudo apt install tpm2-tools yubikey-manager openssl

# Clone repository
git clone https://github.com/yourusername/yubikey-encrypt
cd yubikey-encrypt

# Make scripts executable
chmod +x yubikey-encrypt.sh yubikey-decrypt.sh

YubiKey Setup

Configure challenge-response in slot 2:

# Generate new secret
ykman otp chalresp -2 --touch --generate

# Or set specific secret (for backup YubiKey)
ykman otp chalresp -2 --touch [your-hex-secret]

Usage

Encrypt a file

# Basic encryption
./yubikey-encrypt.sh secret.txt

# With cloud backup
./yubikey-encrypt.sh -c dropbox secret.txt

# Custom output name
./yubikey-encrypt.sh -o backup.enc secret.txt

Decrypt a file

# Local file
./yubikey-decrypt.sh secret.txt.enc challenge.bin

# From cloud
./yubikey-decrypt.sh dropbox:secret.txt.enc

# With specific YubiKey (multi-key setup)
./yubikey-decrypt.sh -k aes_key.yubikey2 secret.txt.enc challenge.bin

Multi-YubiKey Setup

For redundancy with multiple YubiKeys:

1. Configure different secrets on each YubiKey
2. Use the multi-key encryption script:

./encrypt-multi-yubikey.sh wallet.dat
# Follow prompts to encrypt with each YubiKey

Either YubiKey can then decrypt the files independently.

How It Works

1. Challenge Generation: TPM generates 32 bytes of hardware randomness
2. Key Derivation: YubiKey transforms challenge into AES key via HMAC-SHA1
3. Encryption: OpenSSL encrypts file with derived key using AES-256-CBC
4. Storage: Encrypted file + challenge saved (challenge is public, safe to store)

Security Model

• Something you have: Physical YubiKey required
• Hardware-backed: Keys never exist in software
• Tamper-resistant: YubiKey locks after 8 wrong attempts
• Quantum-resistant: AES-256 provides 128-bit quantum security

Examples

Encrypt cryptocurrency wallet

./yubikey-encrypt.sh -c dropbox wallet.dat
# Creates: wallet.dat.enc, challenge.bin
# Backs up to: ~/Dropbox/yubikey-encrypted/

Encrypt directory

tar -czf backup.tar.gz important-files/
./yubikey-encrypt.sh backup.tar.gz
rm backup.tar.gz  # Original can be deleted

Automated backups

# Add to crontab
0 2 * * * /path/to/yubikey-encrypt.sh -c gdrive /home/user/documents.tar

Troubleshooting

"No YubiKey present"

• Ensure YubiKey is inserted
• Check USB connection
• Verify with: ykman list

"YubiKey core error"

• Slot 2 not configured: ykman otp info
• Configure with: ykman otp chalresp -2 --generate

"TPM error"

• Check TPM enabled in BIOS
• Verify with: ls /dev/tpm*
• May need: sudo usermod -a -G tss $USER

License

MIT License - See LICENSE file

Contributing

Pull requests welcome! Please ensure:

• Scripts pass shellcheck
• Documentation updated
• Tested on Ubuntu/Debian

Security Considerations

• Keep challenge.bin with encrypted files (both needed for decryption)
• YubiKey secret cannot be extracted
• Lost YubiKey = lost data (use multi-key setup for critical files)
• No backdoors - even we cannot decrypt your files

Author

Created for secure credential storage in the Brunnen-G project.