Hello,
sorry for the long delay. Didnt had time to answer.
If some of you is willing to help with testing LUKS-on-LVM could you please
provide the output of the commands below?
sudo su -
. /usr/lib/dracut/modules.d/99base/dracut-lib.sh
getarg rd.ykluks.uuid
If you have not modified your grub config for the ykluks dracut module yet
use this getarg command:
getarg rd.luks.uuid
Regarding the other questions/problems.
2) If you want to unlock the luks device without yubikey you can use the
steps from the "Something went wrong :(" section, skipping step 4. This
should disable the ykluks module and re-enable normal luks handling for one
boot.
3) I do have two notebooks with Qubes 3.2 and yubikey for luks unlock Both
do a re-prompt on wrong password. Can you please describe in detail what
steps could be used to reproduce?
Thanks
the2nd
On Tue, Oct 3, 2017 at 5:11 AM, Ron Hunter-Duvar <ro...@shaw.ca> wrote:
> On 10/02/2017 08:34 PM, joevio...@gmail.com wrote:
>
>> On Saturday, 5 August 2017 11:20:27 UTC-4, the2nd wrote:
>>
>>> Hi,
>>>
>>> i switched to Qubes OS 3.2 on my notebook some weeks ago. Besides some
>>> issues i had it works very well.
>>>
>>> One problem was to get the installer to install qubes on LVM-on-LUKS. I
>>> preferred this over the default LUKS-on-LVM setup because you dont have to
>>> encrypt any LV separately.
>>> ...
>>> Please note that the current version will probably not work with a
>>> default qubes LUKS-on-LVM installation. But if some experienced user is
>>> willing to help testing i'll try to come up with a version that supports
>>> this too.
>>>
>>> Besides the yubikey/luks stuff the module handles the
>>> rd.qubes.hide_all_usb stuff via its own rd.ykluks.hide_all_usb command line
>>> parameter because the yubikey is connected via USB and needs to be
>>> accessable until we got the challenge from it. i am still unsure if this is
>>> the best method to implement this. So if anyone with a deeper knowledge of
>>> qubes/dracut does have a better/more secure solution i happy about any help.
>>>
>>> Regards
>>> the2nd
>>>
>> This is working great for me.
>> A few questions though:
>>
>> 1) The default Qubes 3.2 install seems to be LVM-on-LUKS where there is
>> only one LUKS encryption and root/swap LVMs within that. So your
>> instructions work with the default install.
>>
>> ...
>>
> I'd have to say that the2nd is right. I didn't notice on my first Qubes
> 3.2 install, because I only had one encrypted partition on my OS drive
> (skipped a swap partition, despite the installer's whining). Second time
> around I gave in and created one.
>
> lsblk shows sda2 with a luks-encrypted / within it, and sda3 with a
> luks-encrypted swap. If it were LVM-on-LUKS, it would be a single
> luks-encrypted partition two logical volumes within it.
>
> Ron
>
> PS: I'm a Qubes-noob, but long-time Linux user.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/to
> pic/qubes-users/hB0XaquzBAg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/qubes-users/814cee70-0b5c-12a4-ee3e-bdb1f5479f3e%40shaw.ca.
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAA0%2BMPc4-cyKchwsxWwtMdiOqwe_YK3JD_R0YHAOf79i8nisAw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
