Guideline for adding YubiKey support to FDE products
Full-Disk-Encryption (FDE) technology protects data at rest by transparently (to the user) and at low level encrypt all data stored on the hard drive of a protected computers and is considered the most complete protection of such data.
Most FDE solutions implement a Pre-Boot Authentication environment (PBA), frequently implemented as a hardened - not network connected - lightweight operating system kernel, to which the user must successfully authenticate at boot time in order for the key to be recreated and provided to the encryption driver or to the encrypting disk so that the normal host operating system can start.
There are various two-factor authentication options available in commercial FDE products. However, most of the options require installation of additional hardware e.g. smart card readers and/or special drivers.
YubiKey on the other hand is simple to use and has following distinct advantages:
- Does not require any additional hardware to be installed
- Uses standard USB port that is virtually ubiquitous on all personal computers used today
- YubiKey in Challenge/Response mode does not require network access in the pre-boot environment
The document in the link below shows how YubiKey two-factor authentication in Challenge/Response mode can be implemented to work seamlessly in FDE products.
YubiKey in FDE -Implementation Guideline
