dede/ykfde
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add chapter prepare YubiKey

Browse Source
This commit is contained in:
Sandro Keil
2018-07-13 00:18:30 +02:00
parent 93d21820ac
commit e2e0acc435
2 changed files with 90 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
book/arch/02-prepare-disk.md
View File

@@ -2,9 +2,20 @@
You have [different choices](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system "dm-crypt/Encrypting an entire system") to setup encryption.
This chapter describes [LVM on LUKS with encrypted boot partition](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29 "Encrypted boot partition (GRUB)").
Because we want to unlock all volumes at once.
List your disks with `lsblk` and run `gdisk /dev/[your disk]` e.g. `gdisk /dev/nvme0n1`. You can take a look at the
`gdisk` Arch Wiki [en](https://wiki.archlinux.org/index.php/Fdisk#gdisk) / [de](https://wiki.archlinux.de/title/GPT#Partitionieren_mit_gdisk)
> It's crucial to use `gdisk` because GPT is needed for UEFI boot.
Please create 4 partition like described in the Arch Wiki above with `gdisk`. Use the codes for the partition type.
Don't format the partitions at this time, we will do it later with the YubiKey.
The second partition contains the EFI System and must be of type FAT32. Format the second partition e.g. `/dev/nvme0n1p2` with:
```
mkfs.fat -F32 /dev/[your disk partition 2]
```
The next chapter describes how to prepare the YubiKey.

80
book/arch/03-prepare-yubikey.md
View File

@@ -1,3 +1,81 @@
# Prepare YubiKey
TBD
Download or mount [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) and install it
in your Arch Linux Live environment. This is needed because we will format the 4rd partition with YubiKey.
Open the yubikey-full-disk-encryption folder and run `make`.
```
cd yubikey-full-disk-encryption
make install
```
Now it's time prepare the second slot of our YubiKey for the challenge response authentication. Touch will be also enabled.
```
ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
```
Open `/etc/ykfde.conf` and set `YKFDE_CHALLENGE_SLOT=2` because we want to use the second slot.
Set `YKFDE_CHALLENGE_PASSWORD_NEEDED=1` so it asks for the password (2FA). Feel free to modify it tou your needs
e.g. enable TRIM (but be warned, there are potential security implications) support.
> Please compare it carefully with the latest version you have downloaded.
```ini
# Configuration for yubikey-full-disk-encryption. ("") means an empty value.
### *REQUIRED* ###
# Set to non-empty value to use 'Automatic mode with stored challenge (1FA)'.
#YKFDE_CHALLENGE=""
# Use 'Manual mode with secret challenge (2FA)'.
YKFDE_CHALLENGE_PASSWORD_NEEDED="1"
# Choose YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode. Possible values are "1" or "2".
YKFDE_CHALLENGE_SLOT="2"
### OPTIONAL ###
# Set partition UUID. Leave empty to use 'cryptdevice' kernel parameter.
#YKFDE_DISK_UUID=""
# Set LUKS encrypted volume name. Leave empty to use 'cryptdevice' kernel parameter.
#YKFDE_LUKS_NAME=""
# If left empty this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID" -- device to unlock with 'cryptsetup luksOpen'.
#YKFDE_LUKS_DEV=""
# Optional flags passed to 'cryptsetup luksOpen'. Example: "--allow-discards" for TRIM support. Leave empty to use cryptdevice kernel parameter.
#YKFDE_LUKS_OPTIONS=""
# Number of times to assemble passphrase and run 'cryptsetup luksOpen'. Defaults to "5".
#YKFDE_CRYPTSETUP_TRIALS="5"
# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'. Defaults to "30".
#YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30"
# Number of seconds passed to 'sleep' after succesful decryption. Defaults to empty, meaning NO sleep.
#YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP=""
# Enable verbose output. It will print all secrets to terminal. Use only for debugging.
#DBG="1"
```
Next step is to format the 4rd partition. You can modify the arguments if you know what you are doing.
Ensure that you use the 4rd partition e.g. `nvme0n1p4`
```
ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/[device 4rd partition]
ykfde-open -d /dev/[device 4rd partition] -n cryptlvm
```
Display the crypt volume with `ls /dev/mapper`. Next step is to [preparing the logical volumes](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_logical_volumes "preparing the logical volumes")
for `/` and `/home` directory.
```
mount /dev/MyVolGroup/root /mnt
mkdir /mnt/home
mount /dev/MyVolGroup/home /mnt/home
```