From 3abb6a9cfa8206a48e45a1d93d039a5f3f9ae35b Mon Sep 17 00:00:00 2001 From: Sandro Keil Date: Wed, 11 Jul 2018 16:50:00 +0200 Subject: [PATCH] Add Arch Linux TOC --- .gitignore | 3 +++ CHANGELOG.md | 1 + README.md | 30 ++++++++++++++++++++++++++---- book/arch/01-getting-started.md | 28 ++++++++++++++++++++++++++++ book/arch/02-prepare-disk.md | 10 ++++++++++ book/arch/03-prepare-yubikey.md | 3 +++ book/arch/04-prepare-volumes.md | 3 +++ book/arch/05-install-arch.md | 3 +++ book/arch/06-secure-boot.md | 3 +++ book/arch/07-yubikey-login.md | 3 +++ book/arch/08-minimal-gnome.md | 3 +++ book/arch/bookdown.json | 28 ++++++++++++++++++++++++++++ book/bookdown.json | 23 +++++++++++++++++++++++ composer.json | 31 +++++++++++++++++++++++++++++++ 14 files changed, 168 insertions(+), 4 deletions(-) create mode 100644 .gitignore create mode 100644 CHANGELOG.md create mode 100644 book/arch/01-getting-started.md create mode 100644 book/arch/02-prepare-disk.md create mode 100644 book/arch/03-prepare-yubikey.md create mode 100644 book/arch/04-prepare-volumes.md create mode 100644 book/arch/05-install-arch.md create mode 100644 book/arch/06-secure-boot.md create mode 100644 book/arch/07-yubikey-login.md create mode 100644 book/arch/08-minimal-gnome.md create mode 100644 book/arch/bookdown.json create mode 100644 book/bookdown.json create mode 100644 composer.json diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..11ca892 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/html +/composer.lock +/vendor diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..825c32f --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1 @@ +# Changelog diff --git a/README.md b/README.md index e795b2d..9413f98 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,14 @@ # YubiKey Full Disk Encryption -This repository contains a step-by-step tutorial to create a full disk encryption setup with two factor -authentication (2FA) via [YubiKey](https://yubico.com/products/yubikey-hardware/). It contains: +[This repository](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi "YubiKey Full Disk Encryption Repository") +contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA) +via [YubiKey](https://yubico.com/products/yubikey-hardware/). It contains: -- YubiKey encrypted root and home folder +- YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions - Encrypted `/boot` partition - UEFI Secure boot (self signed boot loader) -Currently supported Linux: +Currently guides for: - Arch Linux @@ -15,3 +16,24 @@ Currently supported Linux: It took me several days to figure out how to set up a fully encrypted machine with 2FA. This guide should help others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step guide to get the above things done. + +## Documentation + +For the latest online documentation visit [http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/](http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/ "Latest yubikey-full-disk-encryption-secure-boot-uefi documentation"). +Refer the *Quick Start* section for a detailed explanation. + +Documentation is [in the book tree](book/), and can be compiled using [bookdown](http://bookdown.io) or [Docker](https://www.docker.com/) + +```console +$ docker run -it --rm -v $(pwd):/app sandrokeil/bookdown book/bookdown.json +$ docker run -it --rm -p 8080:8080 -v $(pwd):/app php:7.1-cli php -S 0.0.0.0:8080 -t /app/doc/html +``` + +or run *bookdown* + +```console +$ ./vendor/bin/bookdown book/bookdown.json +$ php -S 0.0.0.0:8080 -t book/html/ +``` + +Then browse to [http://localhost:8080/](http://localhost:8080/) diff --git a/book/arch/01-getting-started.md b/book/arch/01-getting-started.md new file mode 100644 index 0000000..0550c7d --- /dev/null +++ b/book/arch/01-getting-started.md @@ -0,0 +1,28 @@ +# Getting Started + +For common stuff, the Arch Wiki is a good starting point. We need a bootable Arch Linux medium. Please take a look +at the Arch Installtion Guide [en](https://wiki.archlinux.org/index.php/installation_guide#Pre-installation "Download and boot the installation medium") / [de](https://wiki.archlinux.de/title/Anleitung_für_Einsteiger#Das_neueste_ISO-Abbild_beziehen "Das neueste ISO-Abbild beziehen"). + +Ok, you've create a bootable Arch Linux medium, now it's time to boot into the Arch Linux UEFI system. + +German users should execute `loadkeys de` (QWERTZ keyboard layout) in the tty prompt first. + +Let's install minimal packages to get started with our full disk encryption with YubiKey. + +``` +pacman -Sy yubikey-manager yubikey-personalization pcsc-tools libu2f-host make json-c cryptsetup +``` + +Now we must start the [smartcard service](https://wiki.archlinux.org/index.php/Smartcards "Smartcards") + +``` +systemctl start pcscd.service +``` + +and our connected YubiKey should be listed with + +``` +ykman list +``` + +That's it, now let's go over to the next chapter which describes how to prepare disks. diff --git a/book/arch/02-prepare-disk.md b/book/arch/02-prepare-disk.md new file mode 100644 index 0000000..8208299 --- /dev/null +++ b/book/arch/02-prepare-disk.md @@ -0,0 +1,10 @@ +# Prepare Disks + +You have [different choices](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system "dm-crypt/Encrypting an entire system") to setup encryption. +This chapter describes [LVM on LUKS with encrypted boot partition](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29 "Encrypted boot partition (GRUB)"). + +List your disks with `lsblk` and run `gdisk /dev/[your disk]` e.g. `gdisk /dev/nvme0n1`. You can take a look at the +`gdisk` Arch Wiki [en](https://wiki.archlinux.org/index.php/Fdisk#gdisk) / [de](https://wiki.archlinux.de/title/GPT#Partitionieren_mit_gdisk) + +> It's crucial to use `gdisk` because GPT is needed for UEFI boot. + diff --git a/book/arch/03-prepare-yubikey.md b/book/arch/03-prepare-yubikey.md new file mode 100644 index 0000000..3f2488c --- /dev/null +++ b/book/arch/03-prepare-yubikey.md @@ -0,0 +1,3 @@ +# Prepare YubiKey + +TBD diff --git a/book/arch/04-prepare-volumes.md b/book/arch/04-prepare-volumes.md new file mode 100644 index 0000000..a918bcd --- /dev/null +++ b/book/arch/04-prepare-volumes.md @@ -0,0 +1,3 @@ +# Prepare Volumes + +TBD diff --git a/book/arch/05-install-arch.md b/book/arch/05-install-arch.md new file mode 100644 index 0000000..58c1b5e --- /dev/null +++ b/book/arch/05-install-arch.md @@ -0,0 +1,3 @@ +# Install Arch Linux + +TBD diff --git a/book/arch/06-secure-boot.md b/book/arch/06-secure-boot.md new file mode 100644 index 0000000..273f36d --- /dev/null +++ b/book/arch/06-secure-boot.md @@ -0,0 +1,3 @@ +# Setup secure boot + +TBD diff --git a/book/arch/07-yubikey-login.md b/book/arch/07-yubikey-login.md new file mode 100644 index 0000000..f93bb6a --- /dev/null +++ b/book/arch/07-yubikey-login.md @@ -0,0 +1,3 @@ +# Enable YubiKey Login + +TBD diff --git a/book/arch/08-minimal-gnome.md b/book/arch/08-minimal-gnome.md new file mode 100644 index 0000000..22ea6c5 --- /dev/null +++ b/book/arch/08-minimal-gnome.md @@ -0,0 +1,3 @@ +# Install minimal GNOME desktop + +TBD diff --git a/book/arch/bookdown.json b/book/arch/bookdown.json new file mode 100644 index 0000000..d6a516f --- /dev/null +++ b/book/arch/bookdown.json @@ -0,0 +1,28 @@ +{ + "title": "YubiKey full disk encryption Arch Linux guide", + "content": [ + {"getting-started": "01-getting-started.md"}, + {"prepare-disk": "02-prepare-disk.md"}, + {"prepare-yubikey": "03-prepare-yubikey.md"}, + {"prepare-volumes": "04-prepare-volumes.md"}, + {"install-arch": "05-install-arch.md"}, + {"secure-boot": "06-secure-boot.md"}, + {"yubikey-login": "07-yubikey-login.md"}, + {"minimal-gnome": "08-minimal-gnome.md"} + ], + "theme": { + "toc": { + "collapsibleFromLevel": 1 + } + }, + "template": "bookdown/themes", + "tocDepth": 1, + "target": "./html", + "numbering": false, + "extensions": { + "commonmark": [ + "Webuni\\CommonMark\\TableExtension\\TableExtension", + "Webuni\\CommonMark\\AttributesExtension\\AttributesExtension" + ] + } +} diff --git a/book/bookdown.json b/book/bookdown.json new file mode 100644 index 0000000..f7f088a --- /dev/null +++ b/book/bookdown.json @@ -0,0 +1,23 @@ +{ + "title": "YubiKey full disk encryption guide", + "content": [ + {"intro": "../README.md"}, + {"changelog": "../CHANGELOG.md"}, + {"arch-linux": "arch/bookdown.json"} + ], + "theme": { + "toc": { + "collapsibleFromLevel": 1 + } + }, + "template": "bookdown/themes", + "tocDepth": 1, + "target": "../html", + "numbering": false, + "extensions": { + "commonmark": [ + "Webuni\\CommonMark\\TableExtension\\TableExtension", + "Webuni\\CommonMark\\AttributesExtension\\AttributesExtension" + ] + } +} diff --git a/composer.json b/composer.json new file mode 100644 index 0000000..9dffb84 --- /dev/null +++ b/composer.json @@ -0,0 +1,31 @@ +{ + "name": "sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi", + "description": "Tutorial to create full disk encryption with YubiKey, encrypted boot partition and secure boot with UEFI", + "type": "library", + "license": "BSD-3-Clause", + "homepage": "http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/", + "authors": [ + { + "name": "Sandro Keil", + "email": "social@sandro-keil.de", + "homepage": "https://sandro-keil.de" + } + ], + "keywords": [ + "yubikey", + "full-disk-encryption", + "2fa", + "secure-boot", + "uefi", + "arch-linux", + "luks", + "lvm2" + ], + "require": { + "bookdown/bookdown": "^1.1.0", + "webuni/commonmark-table-extension": "^0.6.1", + "webuni/commonmark-attributes-extension": "^0.5.0" + }, + "minimum-stability": "dev", + "prefer-stable": true +}