Hello, sorry for the long delay. Didnt had time to answer.
If some of you is willing to help with testing LUKS-on-LVM could you please provide the output of the commands below? sudo su - . /usr/lib/dracut/modules.d/99base/dracut-lib.sh getarg rd.ykluks.uuid If you have not modified your grub config for the ykluks dracut module yet use this getarg command: getarg rd.luks.uuid Regarding the other questions/problems. 2) If you want to unlock the luks device without yubikey you can use the steps from the "Something went wrong :(" section, skipping step 4. This should disable the ykluks module and re-enable normal luks handling for one boot. 3) I do have two notebooks with Qubes 3.2 and yubikey for luks unlock Both do a re-prompt on wrong password. Can you please describe in detail what steps could be used to reproduce? Thanks the2nd On Tue, Oct 3, 2017 at 5:11 AM, Ron Hunter-Duvar <ro...@shaw.ca> wrote: > On 10/02/2017 08:34 PM, joevio...@gmail.com wrote: > >> On Saturday, 5 August 2017 11:20:27 UTC-4, the2nd wrote: >> >>> Hi, >>> >>> i switched to Qubes OS 3.2 on my notebook some weeks ago. Besides some >>> issues i had it works very well. >>> >>> One problem was to get the installer to install qubes on LVM-on-LUKS. I >>> preferred this over the default LUKS-on-LVM setup because you dont have to >>> encrypt any LV separately. >>> ... >>> Please note that the current version will probably not work with a >>> default qubes LUKS-on-LVM installation. But if some experienced user is >>> willing to help testing i'll try to come up with a version that supports >>> this too. >>> >>> Besides the yubikey/luks stuff the module handles the >>> rd.qubes.hide_all_usb stuff via its own rd.ykluks.hide_all_usb command line >>> parameter because the yubikey is connected via USB and needs to be >>> accessable until we got the challenge from it. i am still unsure if this is >>> the best method to implement this. So if anyone with a deeper knowledge of >>> qubes/dracut does have a better/more secure solution i happy about any help. >>> >>> Regards >>> the2nd >>> >> This is working great for me. >> A few questions though: >> >> 1) The default Qubes 3.2 install seems to be LVM-on-LUKS where there is >> only one LUKS encryption and root/swap LVMs within that. So your >> instructions work with the default install. >> >> ... >> > I'd have to say that the2nd is right. I didn't notice on my first Qubes > 3.2 install, because I only had one encrypted partition on my OS drive > (skipped a swap partition, despite the installer's whining). Second time > around I gave in and created one. > > lsblk shows sda2 with a luks-encrypted / within it, and sda3 with a > luks-encrypted swap. If it were LVM-on-LUKS, it would be a single > luks-encrypted partition two logical volumes within it. > > Ron > > PS: I'm a Qubes-noob, but long-time Linux user. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "qubes-users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/to > pic/qubes-users/hB0XaquzBAg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to firstname.lastname@example.org. > To view this discussion on the web visit https://groups.google.com/d/ms > gid/qubes-users/814cee70-0b5c-12a4-ee3e-bdb1f5479f3e%40shaw.ca. > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAA0%2BMPc4-cyKchwsxWwtMdiOqwe_YK3JD_R0YHAOf79i8nisAw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.