From e2e0acc4354e9c04960f5c1cdfd6d1f0b83e87c1 Mon Sep 17 00:00:00 2001 From: Sandro Keil Date: Fri, 13 Jul 2018 00:18:30 +0200 Subject: [PATCH] Add chapter prepare YubiKey --- book/arch/02-prepare-disk.md | 11 +++++ book/arch/03-prepare-yubikey.md | 80 ++++++++++++++++++++++++++++++++- 2 files changed, 90 insertions(+), 1 deletion(-) diff --git a/book/arch/02-prepare-disk.md b/book/arch/02-prepare-disk.md index 8208299..d63594a 100644 --- a/book/arch/02-prepare-disk.md +++ b/book/arch/02-prepare-disk.md @@ -2,9 +2,20 @@ You have [different choices](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system "dm-crypt/Encrypting an entire system") to setup encryption. This chapter describes [LVM on LUKS with encrypted boot partition](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29 "Encrypted boot partition (GRUB)"). +Because we want to unlock all volumes at once. List your disks with `lsblk` and run `gdisk /dev/[your disk]` e.g. `gdisk /dev/nvme0n1`. You can take a look at the `gdisk` Arch Wiki [en](https://wiki.archlinux.org/index.php/Fdisk#gdisk) / [de](https://wiki.archlinux.de/title/GPT#Partitionieren_mit_gdisk) > It's crucial to use `gdisk` because GPT is needed for UEFI boot. +Please create 4 partition like described in the Arch Wiki above with `gdisk`. Use the codes for the partition type. +Don't format the partitions at this time, we will do it later with the YubiKey. + +The second partition contains the EFI System and must be of type FAT32. Format the second partition e.g. `/dev/nvme0n1p2` with: + +``` +mkfs.fat -F32 /dev/[your disk partition 2] +``` + +The next chapter describes how to prepare the YubiKey. diff --git a/book/arch/03-prepare-yubikey.md b/book/arch/03-prepare-yubikey.md index 3f2488c..db3250c 100644 --- a/book/arch/03-prepare-yubikey.md +++ b/book/arch/03-prepare-yubikey.md @@ -1,3 +1,81 @@ # Prepare YubiKey -TBD +Download or mount [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) and install it +in your Arch Linux Live environment. This is needed because we will format the 4rd partition with YubiKey. + +Open the yubikey-full-disk-encryption folder and run `make`. + +``` +cd yubikey-full-disk-encryption +make install +``` + +Now it's time prepare the second slot of our YubiKey for the challenge response authentication. Touch will be also enabled. + +``` +ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible +``` + +Open `/etc/ykfde.conf` and set `YKFDE_CHALLENGE_SLOT=2` because we want to use the second slot. +Set `YKFDE_CHALLENGE_PASSWORD_NEEDED=1` so it asks for the password (2FA). Feel free to modify it tou your needs +e.g. enable TRIM (but be warned, there are potential security implications) support. + +> Please compare it carefully with the latest version you have downloaded. + +```ini +# Configuration for yubikey-full-disk-encryption. ("") means an empty value. + +### *REQUIRED* ### + +# Set to non-empty value to use 'Automatic mode with stored challenge (1FA)'. +#YKFDE_CHALLENGE="" + +# Use 'Manual mode with secret challenge (2FA)'. +YKFDE_CHALLENGE_PASSWORD_NEEDED="1" + +# Choose YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode. Possible values are "1" or "2". +YKFDE_CHALLENGE_SLOT="2" + +### OPTIONAL ### + +# Set partition UUID. Leave empty to use 'cryptdevice' kernel parameter. +#YKFDE_DISK_UUID="" + +# Set LUKS encrypted volume name. Leave empty to use 'cryptdevice' kernel parameter. +#YKFDE_LUKS_NAME="" + +# If left empty this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID" -- device to unlock with 'cryptsetup luksOpen'. +#YKFDE_LUKS_DEV="" + +# Optional flags passed to 'cryptsetup luksOpen'. Example: "--allow-discards" for TRIM support. Leave empty to use cryptdevice kernel parameter. +#YKFDE_LUKS_OPTIONS="" + +# Number of times to assemble passphrase and run 'cryptsetup luksOpen'. Defaults to "5". +#YKFDE_CRYPTSETUP_TRIALS="5" + +# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'. Defaults to "30". +#YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30" + +# Number of seconds passed to 'sleep' after succesful decryption. Defaults to empty, meaning NO sleep. +#YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" + +# Enable verbose output. It will print all secrets to terminal. Use only for debugging. +#DBG="1" +``` + +Next step is to format the 4rd partition. You can modify the arguments if you know what you are doing. +Ensure that you use the 4rd partition e.g. `nvme0n1p4` + +``` +ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/[device 4rd partition] +ykfde-open -d /dev/[device 4rd partition] -n cryptlvm +``` + +Display the crypt volume with `ls /dev/mapper`. Next step is to [preparing the logical volumes](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_logical_volumes "preparing the logical volumes") +for `/` and `/home` directory. + +``` +mount /dev/MyVolGroup/root /mnt +mkdir /mnt/home +mount /dev/MyVolGroup/home /mnt/home +```