i switched to Qubes OS 3.2 on my notebook some weeks ago. Besides some issues i
had it works very well.
One problem was to get the installer to install qubes on LVM-on-LUKS. I
preferred this over the default LUKS-on-LVM setup because you dont have to
encrypt any LV separately.
After fiddling around some other issues i wanted to use my yubikey to unlock
the luks partition on boot like i did it before with my ubuntu installation
After trying this:
Which did not work and besides this does manage some IMHO useless (someone may
correct me if i am wrong) extra challenges within the initramfs.
And reading this:
I came to the conclusion that there is no working solution yet. So i tried to
write my own dracut module. The main problem with this was to find the best
hook in the boot process to send the user password to the yubikey and unlock
the luks partition. After some testing i got a version which works for my
You can find the module and some install instructions at:
Please note that the current version will probably not work with a default
qubes LUKS-on-LVM installation. But if some experienced user is willing to help
testing i'll try to come up with a version that supports this too.
Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb
stuff via its own rd.ykluks.hide_all_usb command line parameter because the
yubikey is connected via USB and needs to be accessable until we got the
challenge from it. i am still unsure if this is the best method to implement
this. So if anyone with a deeper knowledge of qubes/dracut does have a
better/more secure solution i happy about any help.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.