feat(luks): add LUKS section

ci: push tag
Co-authored-by: Gemini <gemini@google.com>
2026-02-14 21:57:12 +01:00 · 2026-02-14 02:33:16 +01:00 · 2026-02-14 02:19:20 +01:00 · 2026-02-14 02:18:49 +01:00
2 changed files with 56 additions and 4 deletions
--- a/.github/workflows/build-release.yaml
+++ b/.github/workflows/build-release.yaml
@@ -7,7 +7,7 @@ on:
      - main
    paths:
      - '**.md'
-      - '.gitea/workflows/**'
+      - '.github/workflows/**'
      - 'md-pdf.ron'

 jobs:
@@ -61,6 +61,15 @@ jobs:
          echo "tag=$NEW_TAG" >> $GITHUB_OUTPUT
          echo "Next version : $NEW_TAG"

+      - name: Push Tag
+        run: |
+          git config user.name "Gitea Actions"
+          git config user.email "actions@gitea.local"
+          git tag ${{ steps.version.outputs.tag }}
+          git push origin ${{ steps.version.outputs.tag }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
      # Create release and upload PDF
      # Note: softprops works very well on recent Gitea
      - name: Create Release
--- a/README.md
+++ b/README.md
@@ -1,14 +1,11 @@
 ---
 title: "PIS"
 subtitle: "Policy for Internal Security"
-#logo: "path/to/logo.png"
 author: "Rémi Heredero "
 language: "en"
 tags: ["gpg", "ssh", "x509", "YubiKey", "security"]
 toc: false
 template: "simple"
-#date: "2026-01-23"
-version: "0.1.0"
 ---

 # Policy for Internal Security
@@ -206,6 +203,52 @@ ssh-keygen -D /usr/lib64/libykcs11.so.2 \
 ```
 This creates the file `id_ed25519_sk-keyring-cert.pub` that is the certificate to use for authentication. 

+---
+
+# LUKS
+
+It's possible to add a Yubikey as a second option to unlock a LUKS partition.
+
+The first step is to find the encrypted partition.
+```bash
+lsblk
+```
+`nvme1n1p3` is the encrypted partition in my case.
+
+## Enroll
+Add a new way to unlock the partition with the YubiKey. This add a FIDO device, not replace the password way. You can still unlock the partition with the password if you forget the YubiKey.
+
+This step have to be done for each Yubikey you want to use to unlock the partition.
+
+```bash
+sudo systemd-cryptenroll --fido2-device=auto /dev/nvme1n1p3
+```
+Actual passphrase is requested, then Yubikey Fido2 PIN, then you have to touch it 2 time to confirme presence.
+
+## Config `/etc/crypttab`
+This step have to be only once.
+
+Backup and edit crypttab
+```bash
+sudo cp /etc/crypttab /etc/crypttab.bak
+sudo nano /etc/crypttab
+```
+
+Add `,fido2-device=auto` (without any space) at the end of the line that describe the encrypted partition. It should look like that at the end: 
+
+```
+luks-1234... UUID=1234... none discard,fido2-device=auto
+```
+
+## Re-Generate initramfs
+This step have to be only once.
+
+After enrolling the YubiKey, you need to re-generate the initramfs to be able to unlock the partition at boot time.
+```bash
+sudo dracut -f
+```
+
+
 ---

 # Troubleshooting
Author	SHA1	Message	Date
Klagarge	4ce9cc1fb0	feat(luks): add LUKS section All checks were successful Build PDF & Release / release (push) Successful in 1m41s Details	2026-02-14 21:57:12 +01:00
Klagarge	0f0ba243d5	ci: push tag All checks were successful Build PDF & Release / release (push) Successful in 1m37s Details Co-authored-by: Gemini <gemini@google.com>	2026-02-14 02:33:16 +01:00
Klagarge	03031b5ca8	chores: remove unused metadata Some checks failed Build PDF & Release / release (push) Failing after 1m35s Details	2026-02-14 02:19:20 +01:00
Klagarge	07a101488b	ci: fix path	2026-02-14 02:18:49 +01:00