booster
yubikey-full-disk-encryption
Our great sponsors
booster | yubikey-full-disk-encryption | |
---|---|---|
27 | 16 | |
452 | 772 | |
- | - | |
6.3 | 0.0 | |
28 days ago | 5 months ago | |
Go | Shell | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
booster
-
PSA: upgrade your LUKS key derivation function
People should stop using plain passwords to protect data and switch to something better.oster/ + Yubikey
-
[Boot error] Initramfs unpacking failed after updating to 6.0.1
Change from mkinitcpio to booster. It's faster and produce smaller images.
-
Dracut or Genkernel?
Neither, use booster.
-
Booster initramfs release 0.9 got ZFS support
Booster is an initramfs - a type of software that runs early during the boot process and helps to setup system, e.g. perform disk unlock, load extra drivers, setup ZFS filesystem, and so on.
-
You can end up without any kernel to boot if your computer crashes during a pacman update
I don't have high hopes that this will change in mkinitcpio, but perhaps you could bring it up with booster (which copied the mkinitcpio hooks and removal scripts)
-
Is There Something To Improve to my arch install "Guide"?
This is my personal preference, but consider switching to booster.
-
What is your current setup? Bootloader, filesystem, partitions, etc.
initramfs: booster - TPM2 support, way faster than mkinitcpio, autodiscovering root partition
-
Complex Issue:
Note I'm using booster, so assuming you're using the default mkinitcpio you probably want /boot/initramfs-linux.img. Also, don't forget to modify if your ESP isn't mounted at /boot like mine.
-
Systemd 250 released
Booster initramfs generator supports TPM, Yubikey and Network binding so you can easily protect your data using the strategy you want.
-
Booster dont loads with efistub
GPT table detection has higher priority at booster code. But for some reason it does not identify your partition table as GPT. Filed a github bug for it https://github.com/anatol/booster/issues/119
yubikey-full-disk-encryption
- I have seen in a lot of posts here people say not to use Google Authentication for 2FA. Can someone simply explain why, and what should I use instead?
-
LUKS with Yubikey
Would using this be possible? https://github.com/agherzan/yubikey-full-disk-encryption/tree/master/src
-
Getting LUKS, Btrfs, Hibernation and Swap file working in tandem
> Hibernate is less interesting, and apparently unsupported using secure boot anyway.
That's not the case. I have a similar setup to yours (/ on ext4 with separate swap, on LVM on LUKS, separate /efi) and my box hibernates just fine with secure boot and auto-unlock via TPM.
The difference with your setup is I don't use grub, but have the UEFI load a signed unified kernel image directly. Since this works so well, I never had a reason to mess around with yet another moving piece (grub or other bootloader).
As another commenter said, I haven't attempted to mess around with the MOK. I just replaced all the secure boot keys with my own, and I've also signed MS's Windows key (but not the 3rd party one) for my dual-boot needs.
---
For specifics: This is an up-to-date Arch Linux install, running on an HP EliteBook 840 G8 (11th gen intel). I know Debian may have older components than arch, but this setup has been working for more than a year now.
IIRC, the most significant change was brought by systemd 251 which started supporting auto-unlocking LUKS with the TPM. Before that, on an older computer with the same general setup, hibernation worked well, too. I just needed to input the unlock password (which I was too lazy to do, so I just used my yubikey - see https://github.com/agherzan/yubikey-full-disk-encryption).
-
systemd 253 Released With Ukify Tool, systemd-cryptenroll Unlocking Via FIDO2 Tokens
Does yubikey-full-disk-encryption provide anything systemd 253 doesn't now?
-
Tillitis Security Key – Mullvad spin-off inspired by measured boot and DICE
Do you mean something like this: https://github.com/agherzan/yubikey-full-disk-encryption
-
Encrypt data on server (Linux, LUKS) on Raspberry Pi
Full disk encryption is rarely as portable as simply encrypting the files you need. When I ran a “homemade” NAS, I had everything LUKS encrypted. I used a Yubikey to unlock the encrypted data.
-
Using a YubiKey to unlock LUKS - How to secure or encrypt /boot?
A few days ago I akquiriere a Yubikey and I'm currently trying to set up 2FA with the Yubikey and a password to unlock the LUKS container. Since I am running Arch I came across the yubikey-full-disk-encryption package and tested it in an Arch VM. So far it worked really well. The only issue I am having is that compared to my old setup I need to have /boot unencrypted because it seems GRUB itself cannot deal with the 2FA setup and ykfde if /boot is encrypted. Previously I had most of /boot inside the LUKS volume with only the /efi part unencrypted (this is used when telling grub where the efi-directory is - see the previous guide for the full details please) and the GRUB_ENABLE_CRYPTODISK=y option set in the GRUB config.
-
LUKS boot unlock fido2 issue
I don't know about the hanging, I use yubikey-full-disk-encryption which uses challenge-response (1FA or 2FA) which you can set up how many attempts to use the YubiKey before it falls back to the passphrase.
-
Is it possible to crack drive encryption without header?
Related: https://github.com/agherzan/yubikey-full-disk-encryption
-
How safe is encryption?
https://github.com/cornelinux/yubikey-luks or https://github.com/agherzan/yubikey-full-disk-encryption with yubikey 5 will get you going. It is a bit expensive to get two keys (regular and backup), but these can be also used to secure most of the online accounts.
What are some alternatives?
u-root - A fully Go userland with Linux bootloaders! u-root can create a one-binary root file system (initramfs) containing a busybox-like set of tools written in Go.
dracut - dracut the event driven initramfs infrastructure
tang - Tang binding daemon
fido2luks - Decrypt your LUKS partition using a FIDO2 compatible authenticator
void-packages - The Void source packages collection
solokey-full-disk-encryption - Use SoloKey to unlock a LUKS encrypted partition
sslmgr - A layer of abstraction the around acme/autocert certificate manager (Golang)
wireguard-initramfs - Use dropbear over wireguard.
zip - Fork of Go's archive/zip to add reading/writing of password protected zip files.
zfsUnlocker - A modular zfs unlocker hook for mkinitcpio on Archlinux.
set - Package set is a small wrapper around the official reflect package that facilitates loose type conversion and assignment into native Go types.