Improve Arch guide with more hints

book/arch/03-prepare-yubikey.md

@@ -1,5 +1,7 @@
 # Prepare YubiKey
 
+> You can use the file `scripts/arch/03-ykfde.sh`.
+
 Download or mount [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) and install it
 in your Arch Linux Live environment. This is needed because we will format the 4th partition with YubiKey.
 
@@ -13,26 +15,30 @@ make install
 
 
 ## Prepare 2nd slot
-Now it's time to prepare the second slot of your YubiKey for the [challenge response authentication](https://wiki.archlinux.org/index.php/yubikey#Challenge-Response "Setup YubiKey Challenge-Response"). 
-Touch will be also enabled. You can also install the package `yubikey-personalization-gui`. It allows for customization of the secret key, 
-creation of secret key backup and writing the same secret key to multiple YubiKeys which allows for using them interchangeably for creating 
+Now it's time to prepare the second slot of your YubiKey for the [challenge response authentication](https://wiki.archlinux.org/index.php/yubikey#Challenge-Response "Setup YubiKey Challenge-Response").
+Touch will be also enabled. You can also install the package [`yubikey-personalization-gui`](https://www.kryptel.com/articles/yubikey_setup.php). It allows for customization of the secret key,
+creation of secret key backup and writing the same secret key to multiple YubiKeys which allows for using them interchangeably for creating
 same *ykfde* passphrases.
 
-> Securely save the 20 byte length secret key from the output, so you can use it to initialize another YubiKey as backup.
+> Securely save the 20 byte length secret **key** from the output, so you can use it to initialize another YubiKey as backup.
 
 ```
 ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
 ```
 
+The output contains the secret **key** e.g. `7fb21c407f0693ab30259664680a047f8c462ccb` to replace a faulty YubiKey.
+
 ## Configure ykfde
-Open `/etc/ykfde.conf` and set `YKFDE_CHALLENGE_SLOT=2` because we want to use the second slot. 
+Open `/etc/ykfde.conf` and set `YKFDE_CHALLENGE_SLOT=2` because we want to use the second slot.
 Set `YKFDE_CHALLENGE_PASSWORD_NEEDED=1` so it asks for the password (2FA). Leave other settings as is, it will be changed
 later.
 
-> Please compare it carefully with the latest version you have downloaded. 
+> Please compare it carefully with the latest version you have downloaded.
 
 ```ini
-# Configuration for yubikey-full-disk-encryption. ("") means an empty value.
+### Configuration for 'yubikey-full-disk-encryption'.
+### Remove hash (#) symbol and set non-empty ("") value for chosen options to
+### enable them.
 
 ### *REQUIRED* ###
 
@@ -40,43 +46,57 @@ later.
 #YKFDE_CHALLENGE=""
 
 # Use 'Manual mode with secret challenge (2FA)'.
-YKFDE_CHALLENGE_PASSWORD_NEEDED="1"
+#YKFDE_CHALLENGE_PASSWORD_NEEDED="1"
 
-# Choose YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode. Possible values are "1" or "2".
-YKFDE_CHALLENGE_SLOT="2"
+# YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode.
+# Possible values are "1" or "2". Defaults to "2".
+#YKFDE_CHALLENGE_SLOT="2"
 
 ### OPTIONAL ###
 
-# Set partition UUID. Leave empty to use 'cryptdevice' kernel parameter.
+# UUID of device to unlock with 'cryptsetup'.
+# Leave empty to use 'cryptdevice' boot parameter.
 #YKFDE_DISK_UUID=""
 
-# Set LUKS encrypted volume name. Leave empty to use 'cryptdevice' kernel parameter.
+# LUKS encrypted volume name after unlocking.
+# Leave empty to use 'cryptdevice' boot parameter.
 #YKFDE_LUKS_NAME=""
 
-# If left empty this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID" -- device to unlock with 'cryptsetup luksOpen'.
+# Device to unlock with 'cryptsetup'. If left empty and 'YKFDE_DISK_UUID'
+# is enabled this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID".
+# Leave empty to use 'cryptdevice' boot parameter.
 #YKFDE_LUKS_DEV=""
 
-# Optional flags passed to 'cryptsetup luksOpen'. Example: "--allow-discards" for TRIM support. Leave empty to use cryptdevice kernel parameter.
+# Optional flags passed to 'cryptsetup'. Example: "--allow-discards" for TRIM
+# support. Leave empty to use 'cryptdevice' boot parameter.
 #YKFDE_LUKS_OPTIONS=""
 
-# Number of times to assemble passphrase and run 'cryptsetup luksOpen'. Defaults to "5".
+# Number of times to try assemble 'ykfde passphrase' and run 'cryptsetup'.
+# Defaults to "5".
 #YKFDE_CRYPTSETUP_TRIALS="5"
 
-# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'. Defaults to "30".
+# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'.
+# Defaults to "30".
 #YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30"
 
-# Number of seconds passed to 'sleep' after succesful decryption. Defaults to empty, meaning NO sleep.
+# Number of seconds to wait after successful decryption.
+# Defaults to empty, meaning NO wait.
 #YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP=""
 
-# Enable verbose output. It will print all secrets to terminal. Use only for debugging.
+# Verbose output. It will print all secrets to terminal.
+# Use only for debugging.
 #DBG="1"
 ```
 
 ## Encrypt 4th partition
-Next step is to format the 4th partition. You can modify the arguments if you know what you are doing. 
+Next step is to format the 4th partition. You can modify the arguments if you know what you are doing.
 
 > Ensure that you use the 4th partition, replace `[device 4th partition]` with the 4th partition of your device e.g. `nvme0n1p4`
 
+The command `ykfde-format` will prompt to enter your challenge (2FA) password. Use a strong password which you can remember.
+You have to type this password every time to get access via YubiKey and to decrypt your disk. The command `ykfde-open`
+will unlock a LUKS encrypted volume on a running system.
+
 ```
 ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/[device 4th partition]
 ykfde-open -d /dev/[device 4th partition] -n cryptlvm