This allows to automatically unlock a LUKS encrypted hard disk from systemd
-
enabled initramfs.
To compile and use yubikey full disk encryption you need:
Additionally it is expected to have make
and pkg-config
around to
successfully compile.
Building and installing is very easy. Just run:
make
followed by:
make install-mkinitcpio
This will place files to their desired places in filesystem.
Make sure systemd knows about your encrypted device by
adding a line to /etc/crypttab.initramfs
. It should read like:
mapping-name
/dev/LUKS-device
-
Update /etc/ykfde.conf
with correct settings. Add mapping-name
from
above to device name
in the general
section. Then add a new section
with your key's decimal serial number containing the key slot setting.
The file should look like this:
[general]
device name = crypt
[1234567]
luks slot = 1
Be warned: Do not remove or overwrite your interactive key! Keep that for backup and rescue!
ykfde
will read its information from these files. Then prepare
the key. Plug it in, make sure it is configured for HMAC-SHA1
.
After that run:
ykfde
This will store a challenge in /etc/ykfde.d/
and add a new slot to
your LUKS device. When ykfde
asks for a password it requires a valid
password from available slot.
Now you have two choices. Use either of both hooks, depending on whether
you want to update challenge/response on every boot (ykfde-cpio
) or
not (ykfde
).
ykfde
hookLast add ykfde
to your hook list in /etc/mkinitcpio.conf
and rebuild
your initramfs with:
mkinitcpio -p linux
Reboot and have fun!
ykfde-cpio
hookAdd ykfde-cpio
to your hook list in /etc/mkinitcpio.conf
and rebuild
your initramfs with:
mkinitcpio -p linux
Additionally enable systemd
service ykfde-cpio.service
and make your
bootloader load the new cpio
image /boot/ykfde-challenges.img
(in
addition to your usual initramfs).
Reboot and have fun!