Hi, i switched to Qubes OS 3.2 on my notebook some weeks ago. Besides some issues i had it works very well.
One problem was to get the installer to install qubes on LVM-on-LUKS. I preferred this over the default LUKS-on-LVM setup because you dont have to encrypt any LV separately. After fiddling around some other issues i wanted to use my yubikey to unlock the luks partition on boot like i did it before with my ubuntu installation (https://github.com/cornelinux/yubikey-luks). After trying this: https://github.com/bpereto/ykfde/blob/master/README-dracut.md Which did not work and besides this does manage some IMHO useless (someone may correct me if i am wrong) extra challenges within the initramfs. And reading this: https://groups.google.com/forum/#!searchin/qubes-users/yubikey$20luks%7Csort:relevance/qubes-users/7pIS_grFZ4s/AlCoPuf-BwAJ and this: https://github.com/QubesOS/qubes-issues/issues/2712 I came to the conclusion that there is no working solution yet. So i tried to write my own dracut module. The main problem with this was to find the best hook in the boot process to send the user password to the yubikey and unlock the luks partition. After some testing i got a version which works for my purposes. You can find the module and some install instructions at: https://github.com/the2nd/ykluks Please note that the current version will probably not work with a default qubes LUKS-on-LVM installation. But if some experienced user is willing to help testing i'll try to come up with a version that supports this too. Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb stuff via its own rd.ykluks.hide_all_usb command line parameter because the yubikey is connected via USB and needs to be accessable until we got the challenge from it. i am still unsure if this is the best method to implement this. So if anyone with a deeper knowledge of qubes/dracut does have a better/more secure solution i happy about any help. Regards the2nd -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5a377fe7-833f-4c53-ab31-66a2c0f667a0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
