On Saturday, 5 August 2017 11:20:27 UTC-4, the2nd  wrote:
> Hi,
> i switched to Qubes OS 3.2 on my notebook some weeks ago. Besides some issues 
> i had it works very well.
> One problem was to get the installer to install qubes on LVM-on-LUKS. I 
> preferred this over the default LUKS-on-LVM setup because you dont have to 
> encrypt any LV separately.
> After fiddling around some other issues i wanted to use my yubikey to unlock 
> the luks partition on boot like i did it before with my ubuntu installation 
> (https://github.com/cornelinux/yubikey-luks).
> After trying this:
> https://github.com/bpereto/ykfde/blob/master/README-dracut.md
> Which did not work and besides this does manage some IMHO useless (someone 
> may correct me if i am wrong) extra challenges within the initramfs.
> And reading this:
> https://groups.google.com/forum/#!searchin/qubes-users/yubikey$20luks%7Csort:relevance/qubes-users/7pIS_grFZ4s/AlCoPuf-BwAJ
> and this:
> https://github.com/QubesOS/qubes-issues/issues/2712
> I came to the conclusion that there is no working solution yet. So i tried to 
> write my own dracut module. The main problem with this was to find the best 
> hook in the boot process to send the user password to the yubikey and unlock 
> the luks partition. After some testing i got a version which works for my 
> purposes.
> You can find the module and some install instructions at: 
> https://github.com/the2nd/ykluks
> Please note that the current version will probably not work with a default 
> qubes LUKS-on-LVM installation. But if some experienced user is willing to 
> help testing i'll try to come up with a version that supports this too.
> Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb 
> stuff via its own rd.ykluks.hide_all_usb command line parameter because the 
> yubikey is connected via USB and needs to be accessable until we got the 
> challenge from it. i am still unsure if this is the best method to implement 
> this. So if anyone with a deeper knowledge of qubes/dracut does have a 
> better/more secure solution i happy about any help.
> Regards
> the2nd

This is working great for me.
A few questions though:

1)  The default Qubes 3.2 install seems to be LVM-on-LUKS where there is only 
one LUKS encryption and root/swap LVMs within that.  So your instructions work 
with the default install.

2)  It is not clear what can be done if you forget your Yubikey one day and 
want to use the really strong LUKS passphrase from another slot.
Is "Something went wrong" section in which you specify an older initramfs, the 
only way?  Do I need to periodically update this backup "org" initramfs?  And 
it doesn't mention anything about uncommentting the commented crypttab entry 
from the install instructions?

3)  It does seem to hang after timing out.  It will accept the password, but 
will not continue booting.  I can't turn the system on, and come back later to 
use the yubikey.  It seems like it is set to timeout in a minute or so.

Thank you.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to