On Sunday, 22 October 2017 08:56:55 UTC-4, the2nd wrote: > Regarding the other questions/problems. > > 2) If you want to unlock the luks device without yubikey you can use the > steps from the "Something went wrong :(" section, skipping step 4. This > should disable the ykluks module and re-enable normal luks handling for one > boot. > Thanks.
> 3) I do have two notebooks with Qubes 3.2 and yubikey for luks unlock Both do > a re-prompt on wrong password. Can you please describe in detail what steps > could be used to reproduce? I actually meant to write originally, that it is not a problem with wrong password. But rather a timeout if waiting for a while. Entering the password after a few minutes results in an error and I must reboot. > > Thanks > the2nd > > > > > > > > > > On Tue, Oct 3, 2017 at 5:11 AM, Ron Hunter-Duvar <ro...@shaw.ca> wrote: > On 10/02/2017 08:34 PM, joev...@gmail.com wrote: > > > On Saturday, 5 August 2017 11:20:27 UTC-4, the2nd wrote: > > > Hi, > > > > i switched to Qubes OS 3.2 on my notebook some weeks ago. Besides some issues > i had it works very well. > > > > One problem was to get the installer to install qubes on LVM-on-LUKS. I > preferred this over the default LUKS-on-LVM setup because you dont have to > encrypt any LV separately. > > ... > > Please note that the current version will probably not work with a default > qubes LUKS-on-LVM installation. But if some experienced user is willing to > help testing i'll try to come up with a version that supports this too. > > > > Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb > stuff via its own rd.ykluks.hide_all_usb command line parameter because the > yubikey is connected via USB and needs to be accessable until we got the > challenge from it. i am still unsure if this is the best method to implement > this. So if anyone with a deeper knowledge of qubes/dracut does have a > better/more secure solution i happy about any help. > > > > Regards > > the2nd > > > This is working great for me. > > A few questions though: > > > > 1) The default Qubes 3.2 install seems to be LVM-on-LUKS where there is only > one LUKS encryption and root/swap LVMs within that. So your instructions > work with the default install. > > > > ... > > > I'd have to say that the2nd is right. I didn't notice on my first Qubes 3.2 > install, because I only had one encrypted partition on my OS drive (skipped a > swap partition, despite the installer's whining). Second time around I gave > in and created one. > > > > lsblk shows sda2 with a luks-encrypted / within it, and sda3 with a > luks-encrypted swap. If it were LVM-on-LUKS, it would be a single > luks-encrypted partition two logical volumes within it. > > > > Ron > > > > PS: I'm a Qubes-noob, but long-time Linux user. > > > > -- > > You received this message because you are subscribed to a topic in the Google > Groups "qubes-users" group. > > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/qubes-users/hB0XaquzBAg/unsubscribe. > > To unsubscribe from this group and all its topics, send an email to > qubes-users...@googlegroups.com. > > To post to this group, send email to qubes...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/814cee70-0b5c-12a4-ee3e-bdb1f5479f3e%40shaw.ca. > > > > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to firstname.lastname@example.org. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78d52a21-22fd-4fea-9c24-996ec5d86ad9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.