yubikey-full-disk-encryption
dracut
yubikey-full-disk-encryption | dracut | |
---|---|---|
16 | 18 | |
775 | 523 | |
- | 1.0% | |
0.0 | 7.5 | |
5 months ago | 9 days ago | |
Shell | Shell | |
Apache License 2.0 | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
yubikey-full-disk-encryption
- I have seen in a lot of posts here people say not to use Google Authentication for 2FA. Can someone simply explain why, and what should I use instead?
-
LUKS with Yubikey
Would using this be possible? https://github.com/agherzan/yubikey-full-disk-encryption/tree/master/src
-
Getting LUKS, Btrfs, Hibernation and Swap file working in tandem
> Hibernate is less interesting, and apparently unsupported using secure boot anyway.
That's not the case. I have a similar setup to yours (/ on ext4 with separate swap, on LVM on LUKS, separate /efi) and my box hibernates just fine with secure boot and auto-unlock via TPM.
The difference with your setup is I don't use grub, but have the UEFI load a signed unified kernel image directly. Since this works so well, I never had a reason to mess around with yet another moving piece (grub or other bootloader).
As another commenter said, I haven't attempted to mess around with the MOK. I just replaced all the secure boot keys with my own, and I've also signed MS's Windows key (but not the 3rd party one) for my dual-boot needs.
---
For specifics: This is an up-to-date Arch Linux install, running on an HP EliteBook 840 G8 (11th gen intel). I know Debian may have older components than arch, but this setup has been working for more than a year now.
IIRC, the most significant change was brought by systemd 251 which started supporting auto-unlocking LUKS with the TPM. Before that, on an older computer with the same general setup, hibernation worked well, too. I just needed to input the unlock password (which I was too lazy to do, so I just used my yubikey - see https://github.com/agherzan/yubikey-full-disk-encryption).
-
systemd 253 Released With Ukify Tool, systemd-cryptenroll Unlocking Via FIDO2 Tokens
Does yubikey-full-disk-encryption provide anything systemd 253 doesn't now?
-
Tillitis Security Key – Mullvad spin-off inspired by measured boot and DICE
Do you mean something like this: https://github.com/agherzan/yubikey-full-disk-encryption
-
Encrypt data on server (Linux, LUKS) on Raspberry Pi
Full disk encryption is rarely as portable as simply encrypting the files you need. When I ran a “homemade” NAS, I had everything LUKS encrypted. I used a Yubikey to unlock the encrypted data.
-
Using a YubiKey to unlock LUKS - How to secure or encrypt /boot?
A few days ago I akquiriere a Yubikey and I'm currently trying to set up 2FA with the Yubikey and a password to unlock the LUKS container. Since I am running Arch I came across the yubikey-full-disk-encryption package and tested it in an Arch VM. So far it worked really well. The only issue I am having is that compared to my old setup I need to have /boot unencrypted because it seems GRUB itself cannot deal with the 2FA setup and ykfde if /boot is encrypted. Previously I had most of /boot inside the LUKS volume with only the /efi part unencrypted (this is used when telling grub where the efi-directory is - see the previous guide for the full details please) and the GRUB_ENABLE_CRYPTODISK=y option set in the GRUB config.
-
LUKS boot unlock fido2 issue
I don't know about the hanging, I use yubikey-full-disk-encryption which uses challenge-response (1FA or 2FA) which you can set up how many attempts to use the YubiKey before it falls back to the passphrase.
-
Is it possible to crack drive encryption without header?
Related: https://github.com/agherzan/yubikey-full-disk-encryption
-
How safe is encryption?
https://github.com/cornelinux/yubikey-luks or https://github.com/agherzan/yubikey-full-disk-encryption with yubikey 5 will get you going. It is a bit expensive to get two keys (regular and backup), but these can be also used to secure most of the online accounts.
dracut
- Locked root partition
-
ZFSBootMenu boots root dataset just fine but doesn't ask for password even though it's encrypted???
Upstream has been telling people not to use a central configuration file for 8 years so nobody should really be putting anything in there to begin with. One can make a reasonable argument that ZFSBootMenu ought to override the configuration file just like it overrides the configuration drop-in directory, but another can make a reasonable argument that people who really know what they want may wish to load common configuration options for both their system and ZBM images in /etc/dracut.conf.
-
Can't turn off the machine after install with full disk encryption
I absolutely have no idea... Seems like somehow something is not supported. You should create an issue in the dracut repo: https://github.com/dracutdevs/dracut/issues. That's something you should probably everywhere like I did in my issue: https://www.reddit.com/r/voidlinux/comments/11ofqt2/booting_with_dinit. The void community can sometimes be really unhelpful so I hope you will get help there.
-
What happened to the bugzilla 1529311? it's about AMD microcode
bug 1529311 is closed as duplicate of bug 1476039 which was fixed by https://access.redhat.com/errata/RHBA-2018:0964 included in dracut-033-535.el7. These patches were mentioned in 1476039: https://github.com/dracutdevs/dracut/commit/19453dc8744e6a59725c43b61b2e3db01cb4c57c and https://github.com/dracutdevs/dracut/pull/261. Also it was mentioned that it was fixed in
-
/boot/initramfs.. and the early boot process
It's a shell script that sets up some basics and runs an event loop to run hooks that eventually lead to the availability of your root device.
-
Can bluetooth keyboards work to enter luks password?
dracut can build initrd with bluetooth support
-
Has anyone setup a private tracker?
The documentation is super minimal, but the livenet module supports torrent files using the live:torrent: URL syntax.
-
Are cheap wireless keyboards from Lazada and Shopee compatible for Linux? (POV: I live in the Philippines and I have to do online shopping cuz of the pandemic)
Nope, all these environments are missing initial device configuration required for keyboard to be able to connect. (There was an attempt to add bluetooth support into dracut, that didn't go well)
- Failed to Start setup virtual console
-
Dracut kernel_cmdline not working with LVM on LUKS.
I get exactly this error. So it turns out, the decryption depends on a systemd unitsystemd-cryptsetup-generator, which will not read any embedded cmdline parameters, only ones passed in the commandline so when the commandline parameter is asking to decrypt things, it is not generated.
What are some alternatives?
fido2luks - Decrypt your LUKS partition using a FIDO2 compatible authenticator
mkinitcpio - Arch Linux initramfs generation tools (read-only mirror)
solokey-full-disk-encryption - Use SoloKey to unlock a LUKS encrypted partition
zfsbootmenu - ZFS Bootloader for root-on-ZFS systems with support for snapshots and native full disk encryption
wireguard-initramfs - Use dropbear over wireguard.
systemd - The systemd System and Service Manager
zfsUnlocker - A modular zfs unlocker hook for mkinitcpio on Archlinux.
squashfs-tools-ng - A new set of tools and libraries for working with SquashFS images
void-packages - The Void source packages collection
disk-encryption-hetzner - Encrypt a hetzner server from the "serverbörse" and unlock it remote via ssh
ramroot - Load root file system to ram during boot.