YubiKey Full Disk Encryption

This repository contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA) via YubiKey. It contains:

  • YubiKey encrypted root (/) and home (/home) folder on separated partitions
  • Encrypted /boot partition
  • UEFI Secure boot (self signed boot loader)
  • YubiKey authentication for user login

Currently guides for:

  • Arch Linux with helper scripts

Additional security chapter:

  • Disable INTEL AMT
  • Disable AMD PSP


It took me several days to figure out how to set up a fully encrypted machine with 2FA. This guide should help others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step guide to get the above things done.

I guess the entire manual will take between 1 - 3 hours.


You should be familiar with linux and should be able to edit files with vi Vi Cheat Sheet. You need an USB stick for the Linux Live environment and a second computer would be useful for look ups and to read this guide while preparing your fully encrypted Linux.

And of course you will need at least two YubiKeys.

WARNING: You gonna get a bricked machine if you only have a single Yubikey and it breaks.

Support this guide


For the latest online documentation visit http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/. Refer the Quick Start section for a detailed explanation.

Documentation is in the book tree, and can be compiled using bookdown or Docker

$ docker run -it --rm -v $(pwd):/app sandrokeil/bookdown bookdown.json
$ docker run -it --rm -p 8080:8080 -v $(pwd):/app php:7.1-cli php -S -t /app/html

or run bookdown

$ ./vendor/bin/bookdown bookdown.json
$ php -S -t html/

Then browse to http://localhost:8080/