zfsUnlocker
yubikey-full-disk-encryption
zfsUnlocker | yubikey-full-disk-encryption | |
---|---|---|
2 | 16 | |
20 | 775 | |
- | - | |
7.6 | 0.0 | |
10 days ago | 5 months ago | |
Shell | Shell | |
GNU General Public License v3.0 only | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
zfsUnlocker
-
How do I configure the refind.conf and refind_linux.conf (and or config.yaml (for ZFSBootMenu)) files properly when installing Arch Linux with ZFS Native Encryption?
Personally I hate keyfiles and any form of zfs unlocking automation which stores things locally (I suppose TPM cryptography is a good exception). While I use a traditional EFI /boot with systemd-boot (bootctl) I made this initramfs hook so that my machines can dynamically unlock themselves from my vault cluster with a revokable token. Not quite the same approach and if there's no networking a machine could get caught dead in the water for booting back to a password prompt, but it's good enough right now that I use it on everything.
-
What would be the best way to set up an encrypted dataset that uses a keyfile and that automatically will lock/unlock itself depending on if the keyfile is available?
This is my Vault solution for an mkinitcpio-powered initramfs. I use it on my router as well which is a zfs root Arch install handling a good 20 static routes with a stateful firewall.
yubikey-full-disk-encryption
- I have seen in a lot of posts here people say not to use Google Authentication for 2FA. Can someone simply explain why, and what should I use instead?
-
LUKS with Yubikey
Would using this be possible? https://github.com/agherzan/yubikey-full-disk-encryption/tree/master/src
-
Getting LUKS, Btrfs, Hibernation and Swap file working in tandem
> Hibernate is less interesting, and apparently unsupported using secure boot anyway.
That's not the case. I have a similar setup to yours (/ on ext4 with separate swap, on LVM on LUKS, separate /efi) and my box hibernates just fine with secure boot and auto-unlock via TPM.
The difference with your setup is I don't use grub, but have the UEFI load a signed unified kernel image directly. Since this works so well, I never had a reason to mess around with yet another moving piece (grub or other bootloader).
As another commenter said, I haven't attempted to mess around with the MOK. I just replaced all the secure boot keys with my own, and I've also signed MS's Windows key (but not the 3rd party one) for my dual-boot needs.
---
For specifics: This is an up-to-date Arch Linux install, running on an HP EliteBook 840 G8 (11th gen intel). I know Debian may have older components than arch, but this setup has been working for more than a year now.
IIRC, the most significant change was brought by systemd 251 which started supporting auto-unlocking LUKS with the TPM. Before that, on an older computer with the same general setup, hibernation worked well, too. I just needed to input the unlock password (which I was too lazy to do, so I just used my yubikey - see https://github.com/agherzan/yubikey-full-disk-encryption).
-
systemd 253 Released With Ukify Tool, systemd-cryptenroll Unlocking Via FIDO2 Tokens
Does yubikey-full-disk-encryption provide anything systemd 253 doesn't now?
-
Tillitis Security Key – Mullvad spin-off inspired by measured boot and DICE
Do you mean something like this: https://github.com/agherzan/yubikey-full-disk-encryption
-
Encrypt data on server (Linux, LUKS) on Raspberry Pi
Full disk encryption is rarely as portable as simply encrypting the files you need. When I ran a “homemade” NAS, I had everything LUKS encrypted. I used a Yubikey to unlock the encrypted data.
-
Using a YubiKey to unlock LUKS - How to secure or encrypt /boot?
A few days ago I akquiriere a Yubikey and I'm currently trying to set up 2FA with the Yubikey and a password to unlock the LUKS container. Since I am running Arch I came across the yubikey-full-disk-encryption package and tested it in an Arch VM. So far it worked really well. The only issue I am having is that compared to my old setup I need to have /boot unencrypted because it seems GRUB itself cannot deal with the 2FA setup and ykfde if /boot is encrypted. Previously I had most of /boot inside the LUKS volume with only the /efi part unencrypted (this is used when telling grub where the efi-directory is - see the previous guide for the full details please) and the GRUB_ENABLE_CRYPTODISK=y option set in the GRUB config.
-
LUKS boot unlock fido2 issue
I don't know about the hanging, I use yubikey-full-disk-encryption which uses challenge-response (1FA or 2FA) which you can set up how many attempts to use the YubiKey before it falls back to the passphrase.
-
Is it possible to crack drive encryption without header?
Related: https://github.com/agherzan/yubikey-full-disk-encryption
-
How safe is encryption?
https://github.com/cornelinux/yubikey-luks or https://github.com/agherzan/yubikey-full-disk-encryption with yubikey 5 will get you going. It is a bit expensive to get two keys (regular and backup), but these can be also used to secure most of the online accounts.
What are some alternatives?
ramroot - Load root file system to ram during boot.
dracut - dracut the event driven initramfs infrastructure
efifs - EFI FileSystem drivers
fido2luks - Decrypt your LUKS partition using a FIDO2 compatible authenticator
Archboot - Archboot is a most advanced, modular Arch Linux boot/install image creation utility to generate bootable media for CD/USB/PXE, designed for installation or rescue operation.
solokey-full-disk-encryption - Use SoloKey to unlock a LUKS encrypted partition
zfsbootmenu - ZFS Bootloader for root-on-ZFS systems with support for snapshots and native full disk encryption
wireguard-initramfs - Use dropbear over wireguard.
usb-samplerate-unlocker - USB (HAL) Audio Class drivers on Android have a limiter of sample rates at 96kHz. This magisk module unlocks the limiter.
void-packages - The Void source packages collection
disk-encryption-hetzner - Encrypt a hetzner server from the "serverbörse" and unlock it remote via ssh
https-keyscript - Allow a machine with an encrypted boot drive to passwordlessly boot by fetching a key over HTTPS.