i switched to Qubes OS 3.2 on my notebook some weeks ago. Besides some issues i 
had it works very well.

One problem was to get the installer to install qubes on LVM-on-LUKS. I 
preferred this over the default LUKS-on-LVM setup because you dont have to 
encrypt any LV separately.

After fiddling around some other issues i wanted to use my yubikey to unlock 
the luks partition on boot like i did it before with my ubuntu installation 

After trying this:

Which did not work and besides this does manage some IMHO useless (someone may 
correct me if i am wrong) extra challenges within the initramfs.

And reading this:

and this:

I came to the conclusion that there is no working solution yet. So i tried to 
write my own dracut module. The main problem with this was to find the best 
hook in the boot process to send the user password to the yubikey and unlock 
the luks partition. After some testing i got a version which works for my 

You can find the module and some install instructions at: 

Please note that the current version will probably not work with a default 
qubes LUKS-on-LVM installation. But if some experienced user is willing to help 
testing i'll try to come up with a version that supports this too.

Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb 
stuff via its own rd.ykluks.hide_all_usb command line parameter because the 
yubikey is connected via USB and needs to be accessable until we got the 
challenge from it. i am still unsure if this is the best method to implement 
this. So if anyone with a deeper knowledge of qubes/dracut does have a 
better/more secure solution i happy about any help.


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to