yubikey-full-disk-encryption
pam-u2f
yubikey-full-disk-encryption | pam-u2f | |
---|---|---|
16 | 3 | |
775 | 517 | |
- | 0.8% | |
0.0 | 6.0 | |
5 months ago | 28 days ago | |
Shell | C | |
Apache License 2.0 | BSD 2-clause "Simplified" License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
yubikey-full-disk-encryption
- I have seen in a lot of posts here people say not to use Google Authentication for 2FA. Can someone simply explain why, and what should I use instead?
-
LUKS with Yubikey
Would using this be possible? https://github.com/agherzan/yubikey-full-disk-encryption/tree/master/src
-
Getting LUKS, Btrfs, Hibernation and Swap file working in tandem
> Hibernate is less interesting, and apparently unsupported using secure boot anyway.
That's not the case. I have a similar setup to yours (/ on ext4 with separate swap, on LVM on LUKS, separate /efi) and my box hibernates just fine with secure boot and auto-unlock via TPM.
The difference with your setup is I don't use grub, but have the UEFI load a signed unified kernel image directly. Since this works so well, I never had a reason to mess around with yet another moving piece (grub or other bootloader).
As another commenter said, I haven't attempted to mess around with the MOK. I just replaced all the secure boot keys with my own, and I've also signed MS's Windows key (but not the 3rd party one) for my dual-boot needs.
---
For specifics: This is an up-to-date Arch Linux install, running on an HP EliteBook 840 G8 (11th gen intel). I know Debian may have older components than arch, but this setup has been working for more than a year now.
IIRC, the most significant change was brought by systemd 251 which started supporting auto-unlocking LUKS with the TPM. Before that, on an older computer with the same general setup, hibernation worked well, too. I just needed to input the unlock password (which I was too lazy to do, so I just used my yubikey - see https://github.com/agherzan/yubikey-full-disk-encryption).
-
systemd 253 Released With Ukify Tool, systemd-cryptenroll Unlocking Via FIDO2 Tokens
Does yubikey-full-disk-encryption provide anything systemd 253 doesn't now?
-
Tillitis Security Key – Mullvad spin-off inspired by measured boot and DICE
Do you mean something like this: https://github.com/agherzan/yubikey-full-disk-encryption
-
Encrypt data on server (Linux, LUKS) on Raspberry Pi
Full disk encryption is rarely as portable as simply encrypting the files you need. When I ran a “homemade” NAS, I had everything LUKS encrypted. I used a Yubikey to unlock the encrypted data.
-
Using a YubiKey to unlock LUKS - How to secure or encrypt /boot?
A few days ago I akquiriere a Yubikey and I'm currently trying to set up 2FA with the Yubikey and a password to unlock the LUKS container. Since I am running Arch I came across the yubikey-full-disk-encryption package and tested it in an Arch VM. So far it worked really well. The only issue I am having is that compared to my old setup I need to have /boot unencrypted because it seems GRUB itself cannot deal with the 2FA setup and ykfde if /boot is encrypted. Previously I had most of /boot inside the LUKS volume with only the /efi part unencrypted (this is used when telling grub where the efi-directory is - see the previous guide for the full details please) and the GRUB_ENABLE_CRYPTODISK=y option set in the GRUB config.
-
LUKS boot unlock fido2 issue
I don't know about the hanging, I use yubikey-full-disk-encryption which uses challenge-response (1FA or 2FA) which you can set up how many attempts to use the YubiKey before it falls back to the passphrase.
-
Is it possible to crack drive encryption without header?
Related: https://github.com/agherzan/yubikey-full-disk-encryption
-
How safe is encryption?
https://github.com/cornelinux/yubikey-luks or https://github.com/agherzan/yubikey-full-disk-encryption with yubikey 5 will get you going. It is a bit expensive to get two keys (regular and backup), but these can be also used to secure most of the online accounts.
pam-u2f
What are some alternatives?
dracut - dracut the event driven initramfs infrastructure
virtual-fido - A Virtual FIDO2 USB Device
fido2luks - Decrypt your LUKS partition using a FIDO2 compatible authenticator
hardening - Hardening Ubuntu. Systemd edition.
solokey-full-disk-encryption - Use SoloKey to unlock a LUKS encrypted partition
http-observatory - Mozilla HTTP Observatory
wireguard-initramfs - Use dropbear over wireguard.
bastion - 🔒Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support
zfsUnlocker - A modular zfs unlocker hook for mkinitcpio on Archlinux.
lynis - Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
void-packages - The Void source packages collection
pam-onelogin - pam-onelogin is a pretty complete pam/nss stack for using OneLogin as authentication source (with MFA) and user/group lookups. Primarily used for SSH.