diff --git a/book/arch/02-prepare-disk.md b/book/arch/02-prepare-disk.md index a42454c..bc5fbf2 100644 --- a/book/arch/02-prepare-disk.md +++ b/book/arch/02-prepare-disk.md @@ -20,7 +20,8 @@ Number Start (sector) End (sector) Size Code Name 4 2461696 2000409230 952.7 GiB 8E00 Linux LVM ``` -The second partition contains the EFI System and must be of type FAT32. Format the second partition e.g. `/dev/nvme0n1p2` with: +The second partition contains the EFI System and must be of type FAT32. +Format the second partition (replace `[device 2nd partition]` with the 2nd partition of your device e.g. `/dev/nvme0n1p2`) with: ``` mkfs.fat -F32 /dev/[device 2nd partition] diff --git a/book/arch/03-prepare-yubikey.md b/book/arch/03-prepare-yubikey.md index bfef8b1..19a6f87 100644 --- a/book/arch/03-prepare-yubikey.md +++ b/book/arch/03-prepare-yubikey.md @@ -1,7 +1,7 @@ # Prepare YubiKey Download or mount [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) and install it -in your Arch Linux Live environment. This is needed because we will format the 4rd partition with YubiKey. +in your Arch Linux Live environment. This is needed because we will format the 4th partition with YubiKey. ## Installation Open the *yubikey-full-disk-encryption* folder and run `make`. @@ -13,7 +13,7 @@ make install ## Prepare 2nd slot -Now it's time prepare the second slot of our YubiKey for the challenge response authentication. Touch will be also enabled. +Now it's time to prepare the second slot of our YubiKey for the challenge response authentication. Touch will be also enabled. ``` ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible @@ -21,10 +21,10 @@ ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial ## Configure ykfde Open `/etc/ykfde.conf` and set `YKFDE_CHALLENGE_SLOT=2` because we want to use the second slot. -Set `YKFDE_CHALLENGE_PASSWORD_NEEDED=1` so it asks for the password (2FA). Feel free to modify it tou your needs -e.g. enable TRIM (but be warned, there are potential security implications) support. +Set `YKFDE_CHALLENGE_PASSWORD_NEEDED=1` so it asks for the password (2FA). Leave other settings as is, it will be changed +later. -> Please compare it carefully with the latest version you have downloaded. +> Please compare it carefully with the latest version you have downloaded. ```ini # Configuration for yubikey-full-disk-encryption. ("") means an empty value. @@ -70,10 +70,10 @@ YKFDE_CHALLENGE_SLOT="2" ## Encrypt 4th partition Next step is to format the 4th partition. You can modify the arguments if you know what you are doing. -> Ensure that you use the 4th partition, replace `[device 4rd partition]` with e.g. `nvme0n1p4` +> Ensure that you use the 4th partition, replace `[device 4th partition]` with the 4th partition of your device e.g. `nvme0n1p4` ``` -ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/[device 4rd partition] +ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/[device 4th partition] ykfde-open -d /dev/[device 4th partition] -n cryptlvm ``` diff --git a/book/arch/04-prepare-volumes.md b/book/arch/04-prepare-volumes.md index eafd799..b8495ef 100644 --- a/book/arch/04-prepare-volumes.md +++ b/book/arch/04-prepare-volumes.md @@ -20,13 +20,13 @@ mkdir /mnt/home mount /dev/MyVolGroup/home /mnt/home ``` -## Encrypted `/boot` partition +## Encrypted boot partition -The last volume is `/boot` which should also be encrypted. We can not use a YubiKey here, but it is protected with a password. +The last volume is `/boot` which should also be encrypted. You can not use a YubiKey here, but it is protected with a password. The Arch Wiki page [Preparing the boot partition](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_boot_partition_5 "Preparing the boot partition") describes this in more detail. The `efi` partition will be mounted to `/boot/efi`. -> Be aware, GRUB boot loader uses US keyboad layout. Consider this for your password! +> Be aware, GRUB boot loader uses US keyboard layout. Consider this for your password! Execute the following commands and replace `[device 3rd partition]` with the 3rd partition of your device e.g. `nvme0n1p3` and replace `[device 2nd partition]` with the 2nd partition of your device e.g. `nvme0n1p2`. @@ -48,9 +48,10 @@ mount /dev/[device 2nd partition] /mnt/boot/efi ## Keyfile for initramfs [With a keyfile embedded in the initramfs](https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs "With a keyfile embedded in the initramfs") -we don't have to unlock the `/boot` partition twice. The `/boot` partition will be mounted if the system starts, so updates can be performed. +you don't have to unlock the `/boot` partition twice. The `/boot` partition will be mounted if the system starts, so updates can be performed. -Create a randomized generated key file with the following lines and add this keyfile to the 3rd LUKS partition (replace `[device 3rd partition]` with e.g. `nvme0n1p3`). +Create a randomized generated key file with the following lines and add this keyfile to the 3rd LUKS partition (replace `[device 3rd partition]` with the 3rd partition of your device e.g. `nvme0n1p3`). +The keyfile is copied in the root folder of the new Arch linux environment. ``` dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin diff --git a/book/arch/05-install-arch.md b/book/arch/05-install-arch.md index 6ae93d2..833aed5 100644 --- a/book/arch/05-install-arch.md +++ b/book/arch/05-install-arch.md @@ -28,12 +28,12 @@ available inside the new system. More on that later. ``` cp -r yubikey-full-disk-encryption /mnt/home/ -echo "export YKFDE_CHALLENGE=$YKFDE_CHALLENGE" > /mnt/home/challenge.txt +echo "export YKFDE_CHALLENGE=$(printf [Your YubiKey password] | sha256sum | awk '{print $1}')" > /mnt/home/challenge.txt ``` Copy `/etc/ykde.conf` to `/mnt/home` so you can use this file later in your new environment. -## Mount `/run` +## Mount run When running `grub-mkconfig` you will see the error `/run/lvm/lvmetad.socket: connect failed: No such file or directory`. That's why the host `/run` folder must be available inside the `chroot` environment. This is prepared with the following @@ -65,7 +65,7 @@ make install Copy `/home/ykde.conf` to `/etc/ykde.conf` so you have your previous settings or configure the file as described in [chapter 3 - Prepare YubiKey](03-prepare-yubikey.md). The YubiKey challenge will now be stored in the `ykde.conf` file. The environment variable with the YubiKey challenge is loaded into the environment so it can be set -into the `ykde.conf` file with the command `sed`. +into the `ykde.conf` file with the command `sed`. ``` source /home/challenge.txt @@ -80,7 +80,6 @@ The next step is to prepare the `mkinitcpio.conf` to encrypt the partition at bo > Don't add `encrypt` hook, because we ues ykfde !!! - ``` HOOKS=(base udev autodetect consolefont modconf block keymap lvm2 filesystems fsck keyboard ykfde) ``` @@ -146,6 +145,54 @@ It should look like this with your UUID of the 3rd partition. cryptboot UUID=434a512a-1b76-449e-8cb0-f93aee46e85c /crypto_keyfile.bin luks ``` +## Configure ykde.conf +Open the file with `vi /etc/ykde.conf` and enable/set `YKFDE_LUKS_NAME="cryptlvm"` and `YKFDE_DISK_UUID=[4th partition UUID]` +(replace `[4th partition UUID]` with the UUID of the 4th partition e.g. `a86c6534-6643-4afa-b3ae-c78a0a5dc50f`). +Feel free to modify it to your needs e.g. enable TRIM (but be warned, there are potential security implications) support. +It should look something like this + +```ini +# Configuration for yubikey-full-disk-encryption. ("") means an empty value. + +### *REQUIRED* ### + +# Set to non-empty value to use 'Automatic mode with stored challenge (1FA)'. +YKFDE_CHALLENGE="8fa0acf6233b92d2d48a30a315cd213748d48f28eaa63d7590509392316b3016" + +# Use 'Manual mode with secret challenge (2FA)'. +YKFDE_CHALLENGE_PASSWORD_NEEDED="1" + +# Choose YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode. Possible values are "1" or "2". +YKFDE_CHALLENGE_SLOT="2" + +### OPTIONAL ### + +# Set partition UUID. Leave empty to use 'cryptdevice' kernel parameter. +YKFDE_DISK_UUID="a86c6534-6643-4afa-b3ae-c78a0a5dc50f" + +# Set LUKS encrypted volume name. Leave empty to use 'cryptdevice' kernel parameter. +YKFDE_LUKS_NAME="cryptlvm" + +# If left empty this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID" -- device to unlock with 'cryptsetup luksOpen'. +#YKFDE_LUKS_DEV="" + +# Optional flags passed to 'cryptsetup luksOpen'. Example: "--allow-discards" for TRIM support. Leave empty to use cryptdevice kernel parameter. +#YKFDE_LUKS_OPTIONS="" + +# Number of times to assemble passphrase and run 'cryptsetup luksOpen'. Defaults to "5". +#YKFDE_CRYPTSETUP_TRIALS="5" + +# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'. Defaults to "30". +#YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30" + +# Number of seconds passed to 'sleep' after succesful decryption. Defaults to empty, meaning NO sleep. +#YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" + +# Enable verbose output. It will print all secrets to terminal. Use only for debugging. +#DBG="1" +``` + +## Test it It's time to check you settings with a graceful reboot. If you have done all things right you will be asked for your boot parition password to see the GRUB boot menu and after that the YubiKey password with YubiKey touch button to unlock the root partition.