Commit 9f981a60 authored by Klaus Frank's avatar Klaus Frank

Update etc/ykfde.conf, arch-linux-install.sh files

parent b2a9d138
......@@ -212,3 +212,27 @@ systemctl --user enable --now offlineimap-oneshot@MSExchange.service
# TODO: Copy /etc/systemd/ssh-agent.service to /etc/systemd/user/ssh-agent.service
systemctl --user enable --now ssh-agent.service
# Use `ssh-add -s /usr/lib/opensc-pkcs11.so` to unlock yubikey for use with openssh
# Yubikey Luks unlock:
# AUR package yubikey-full-disk-encryption-git
git submodule add -b master https://aur.archlinux.org/yubikey-full-disk-encryption-git.git
cd yubikey-full-disk-encryption-git
makepkg
sudo pacman -U yubikey-full-disk-encryption-git-*-any.pkg.tar
# TODO: Copy etc/ykfde.conf to /etc/ykfde.conf
# Insert luks partition uuid into YKFDE_DISK_UUID=""
# Luks partition uuid can be queried using:
sudo cryptsetup luksDump /dev/sda3 | grep UUID
# Add Yubikey to Luks volume Key Slot 7
sudo ykfde-enroll -d /dev/sda3 -s 7
sudo nano /etc/mkinitcpio.conf
# TODO: Replace the encrypt with ykfde (HOOKS)
# and add "xhci_pci thinkpad_acpi ehci_pci aesni_intel"
# to MODULES
# Than regenerate the ramdisk,
# Systemd hooks currently don't work, but they are slower
# anyway. Even though systemd-boot is used.
sudo mkinitcpio -p linux
# Delete passphrase from volume (clear key slot 0):
sudo ykfde-enroll -d /dev/sda3 -s 0 -k
### Configuration for 'yubikey-full-disk-encryption'.
### Remove hash (#) symbol and set non-empty ("") value for chosen options to
### enable them.
### *REQUIRED* ###
# Set to non-empty value to use 'Automatic mode with stored challenge (1FA)'.
#YKFDE_CHALLENGE="StaticChallange"
# Use 'Manual mode with secret challenge (2FA)'.
YKFDE_CHALLENGE_PASSWORD_NEEDED="1"
# YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode.
# Possible values are "1" or "2". Defaults to "2".
#YKFDE_CHALLENGE_SLOT="2"
### OPTIONAL ###
# Enable communication with YubiKey via NFC (Experimental).
#YKFDE_NFC="1"
# UUID of device to unlock with 'cryptsetup'.
# Leave empty to use 'cryptdevice' boot parameter.
YKFDE_DISK_UUID=""
# LUKS encrypted volume name after unlocking.
# Leave empty to use 'cryptdevice' boot parameter.
YKFDE_LUKS_NAME="luks"
# Device to unlock with 'cryptsetup'. If left empty and 'YKFDE_DISK_UUID'
# is enabled this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID".
# Leave empty to use 'cryptdevice' boot parameter.
#YKFDE_LUKS_DEV=""
# Optional flags passed to 'cryptsetup'. Example: "--allow-discards" for TRIM
# support. Leave empty to use 'cryptdevice' boot parameter.
YKFDE_LUKS_OPTIONS="--allow-discards"
# Number of times to try assemble 'ykfde passphrase' and run 'cryptsetup'.
# Defaults to "5".
#YKFDE_CRYPTSETUP_TRIALS="5"
# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'.
# Defaults to "30".
#YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30"
# Number of seconds to wait after successful decryption.
# Defaults to empty, meaning NO wait.
#YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP=""
# Verbose output. It will print all secrets to terminal.
# Use only for debugging.
#DBG="1"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment