feat(luks): add LUKS section

Co-authored-by: Gemini <gemini@google.com>

.github/workflows/build-release.yaml

@@ -7,7 +7,7 @@ on:
       - main
     paths:
       - '**.md'
-      - '.gitea/workflows/**'
+      - '.github/workflows/**'
       - 'md-pdf.ron'
 
 jobs:
@@ -22,11 +22,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Install Fonts
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y fonts-liberation
-
       - name: Install Rust
         uses: dtolnay/rust-toolchain@stable
 
@@ -40,7 +35,7 @@ jobs:
           tar -xJf typst.tar.xz --strip-components=1 -C /usr/local/bin/ typst-x86_64-unknown-linux-musl/typst
           typst --version
 
-      - name: Install Typst & md-pdf (Rust)
+      - name: Install md-pdf (Rust)
         run: |
           cargo install md-pdf
           echo "$HOME/.cargo/bin" >> $GITHUB_PATH
@@ -66,10 +61,19 @@ jobs:
           echo "tag=$NEW_TAG" >> $GITHUB_OUTPUT
           echo "Next version : $NEW_TAG"
 
+      - name: Push Tag
+        run: |
+          git config user.name "Gitea Actions"
+          git config user.email "actions@gitea.local"
+          git tag ${{ steps.version.outputs.tag }}
+          git push origin ${{ steps.version.outputs.tag }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       # Create release and upload PDF
       # Note: softprops works very well on recent Gitea
       - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v1
         if: ${{ steps.version.outputs.tag != '' }} # Safety check
         with:
           tag_name: ${{ steps.version.outputs.tag }}

README.md

@@ -1,3 +1,13 @@
+---
+title: "PIS"
+subtitle: "Policy for Internal Security"
+author: "Rémi Heredero "
+language: "en"
+tags: ["gpg", "ssh", "x509", "YubiKey", "security"]
+toc: false
+template: "simple"
+---
+
 # Policy for Internal Security
 This repo describes my P.I.S. (**P**olicy for **I**nternal **S**ecurity).
 You'll find my personal guidelines for SSH / GPG on YubiKey and how to configure and create a key / certificate.
@@ -195,11 +205,49 @@ This creates the file `id_ed25519_sk-keyring-cert.pub` that is the certificate t
 
 ---
 
-# x509
+# LUKS
+
+It's possible to add a Yubikey as a second option to unlock a LUKS partition.
+
+The first step is to find the encrypted partition.
+```bash
+lsblk
+```
+`nvme1n1p3` is the encrypted partition in my case.
+
+## Enroll
+Add a new way to unlock the partition with the YubiKey. This add a FIDO device, not replace the password way. You can still unlock the partition with the password if you forget the YubiKey.
+
+This step have to be done for each Yubikey you want to use to unlock the partition.
+
+```bash
+sudo systemd-cryptenroll --fido2-device=auto /dev/nvme1n1p3
+```
+Actual passphrase is requested, then Yubikey Fido2 PIN, then you have to touch it 2 time to confirme presence.
+
+## Config `/etc/crypttab`
+This step have to be only once.
+
+Backup and edit crypttab
+```bash
+sudo cp /etc/crypttab /etc/crypttab.bak
+sudo nano /etc/crypttab
+```
+
+Add `,fido2-device=auto` (without any space) at the end of the line that describe the encrypted partition. It should look like that at the end: 
+
+```
+luks-1234... UUID=1234... none discard,fido2-device=auto
+```
+
+## Re-Generate initramfs
+This step have to be only once.
+
+After enrolling the YubiKey, you need to re-generate the initramfs to be able to unlock the partition at boot time.
+```bash
+sudo dracut -f
+```
 
-## Master YubiKey
-I create a certificate in PIV slot 9a with Yubico authenticator. This CA would be used as a Root CA for my server.
-TODO fix with XCA
 
 ---