feat(luks): add LUKS section

README.md

@@ -203,6 +203,52 @@ ssh-keygen -D /usr/lib64/libykcs11.so.2 \
 ```
 This creates the file `id_ed25519_sk-keyring-cert.pub` that is the certificate to use for authentication. 
 
+---
+
+# LUKS
+
+It's possible to add a Yubikey as a second option to unlock a LUKS partition.
+
+The first step is to find the encrypted partition.
+```bash
+lsblk
+```
+`nvme1n1p3` is the encrypted partition in my case.
+
+## Enroll
+Add a new way to unlock the partition with the YubiKey. This add a FIDO device, not replace the password way. You can still unlock the partition with the password if you forget the YubiKey.
+
+This step have to be done for each Yubikey you want to use to unlock the partition.
+
+```bash
+sudo systemd-cryptenroll --fido2-device=auto /dev/nvme1n1p3
+```
+Actual passphrase is requested, then Yubikey Fido2 PIN, then you have to touch it 2 time to confirme presence.
+
+## Config `/etc/crypttab`
+This step have to be only once.
+
+Backup and edit crypttab
+```bash
+sudo cp /etc/crypttab /etc/crypttab.bak
+sudo nano /etc/crypttab
+```
+
+Add `,fido2-device=auto` (without any space) at the end of the line that describe the encrypted partition. It should look like that at the end: 
+
+```
+luks-1234... UUID=1234... none discard,fido2-device=auto
+```
+
+## Re-Generate initramfs
+This step have to be only once.
+
+After enrolling the YubiKey, you need to re-generate the initramfs to be able to unlock the partition at boot time.
+```bash
+sudo dracut -f
+```
+
+
 ---
 
 # Troubleshooting