From 4ce9cc1fb0e249e26cff3a2068bb07af23ae6fdc Mon Sep 17 00:00:00 2001 From: Klagarge Date: Sat, 14 Feb 2026 21:57:12 +0100 Subject: [PATCH] feat(luks): add LUKS section --- README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/README.md b/README.md index 008049e..858906e 100644 --- a/README.md +++ b/README.md @@ -203,6 +203,52 @@ ssh-keygen -D /usr/lib64/libykcs11.so.2 \ ``` This creates the file `id_ed25519_sk-keyring-cert.pub` that is the certificate to use for authentication. +--- + +# LUKS + +It's possible to add a Yubikey as a second option to unlock a LUKS partition. + +The first step is to find the encrypted partition. +```bash +lsblk +``` +`nvme1n1p3` is the encrypted partition in my case. + +## Enroll +Add a new way to unlock the partition with the YubiKey. This add a FIDO device, not replace the password way. You can still unlock the partition with the password if you forget the YubiKey. + +This step have to be done for each Yubikey you want to use to unlock the partition. + +```bash +sudo systemd-cryptenroll --fido2-device=auto /dev/nvme1n1p3 +``` +Actual passphrase is requested, then Yubikey Fido2 PIN, then you have to touch it 2 time to confirme presence. + +## Config `/etc/crypttab` +This step have to be only once. + +Backup and edit crypttab +```bash +sudo cp /etc/crypttab /etc/crypttab.bak +sudo nano /etc/crypttab +``` + +Add `,fido2-device=auto` (without any space) at the end of the line that describe the encrypted partition. It should look like that at the end: + +``` +luks-1234... UUID=1234... none discard,fido2-device=auto +``` + +## Re-Generate initramfs +This step have to be only once. + +After enrolling the YubiKey, you need to re-generate the initramfs to be able to unlock the partition at boot time. +```bash +sudo dracut -f +``` + + --- # Troubleshooting