You can use the file
scripts/arch/03-ykfde.sh.
Download or mount yubikey-full-disk-encryption and install it in your Arch Linux Live environment. This is needed because we will format the 4th partition with YubiKey.
Open the yubikey-full-disk-encryption folder and run make.
cd yubikey-full-disk-encryption
make install
Now it's time to prepare the second slot of your YubiKey for the challenge response authentication.
Touch will be also enabled. You can also install the package yubikey-personalization-gui. It allows for customization of the secret key,
creation of secret key backup and writing the same secret key to multiple YubiKeys which allows for using them interchangeably for creating
same ykfde passphrases.
Securely save the 20 byte length secret key from the output, so you can use it to initialize another YubiKey as backup.
ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
The output contains the secret key e.g. 7fb21c407f0693ab30259664680a047f8c462ccb to replace a faulty YubiKey.
Open /etc/ykfde.conf and set YKFDE_CHALLENGE_SLOT=2 because we want to use the second slot.
Set YKFDE_CHALLENGE_PASSWORD_NEEDED=1 so it asks for the password (2FA). Leave other settings as is, it will be changed
later.
Please compare it carefully with the latest version you have downloaded.
It should look something like this
### Configuration for 'yubikey-full-disk-encryption'.
### Remove hash (#) symbol and set non-empty ("") value for chosen options to
### enable them.
### *REQUIRED* ###
# Set to non-empty value to use 'Automatic mode with stored challenge (1FA)'.
#YKFDE_CHALLENGE=""
# Use 'Manual mode with secret challenge (2FA)'.
YKFDE_CHALLENGE_PASSWORD_NEEDED="1"
# YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode.
# Possible values are "1" or "2". Defaults to "2".
YKFDE_CHALLENGE_SLOT="2"
### OPTIONAL ###
# UUID of device to unlock with 'cryptsetup'.
# Leave empty to use 'cryptdevice' boot parameter.
#YKFDE_DISK_UUID=""
# LUKS encrypted volume name after unlocking.
# Leave empty to use 'cryptdevice' boot parameter.
#YKFDE_LUKS_NAME=""
# Device to unlock with 'cryptsetup'. If left empty and 'YKFDE_DISK_UUID'
# is enabled this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID".
# Leave empty to use 'cryptdevice' boot parameter.
#YKFDE_LUKS_DEV=""
# Optional flags passed to 'cryptsetup'. Example: "--allow-discards" for TRIM
# support. Leave empty to use 'cryptdevice' boot parameter.
#YKFDE_LUKS_OPTIONS=""
# Number of times to try assemble 'ykfde passphrase' and run 'cryptsetup'.
# Defaults to "5".
#YKFDE_CRYPTSETUP_TRIALS="5"
# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'.
# Defaults to "30".
#YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30"
# Number of seconds to wait after successful decryption.
# Defaults to empty, meaning NO wait.
#YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP=""
# Verbose output. It will print all secrets to terminal.
# Use only for debugging.
#DBG="1"
Next step is to format the 4th partition. You can modify the arguments if you know what you are doing.
Ensure that you use the 4th partition, replace
[device 4th partition]with the 4th partition of your device e.g.nvme0n1p4
The command ykfde-format will prompt to enter your challenge (2FA) password. Use a strong password which you can remember.
You have to type this password every time to get access via YubiKey and to decrypt your disk. The command ykfde-open
will unlock a LUKS encrypted volume on a running system.
ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/[device 4th partition]
ykfde-open -d /dev/[device 4th partition] -n cryptlvm
Display the crypt volume with ls -la /dev/mapper/. Next step is to prepare the logical volumes.