I saw this pop up on news.ycombinator.com last week, using a yubikey to
unlock your drives I found interesting and intend to try with a new
hardware device. I use luks extensively today, but have not done so with
full systemd integration, so this is a cool evolutionary mechanism I've
been waiting for to include hardware crypto keys. Not quite a plain-jane
usb disk, but but a yubikey can be had cheap for what we do.
http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
I've been using my yubikey with keepassxc past year or so, and would like
to do so with my hard drive encryption as well, so I would say start here.
Should be fairly agnostic between ubuntu and arch. I use arch, so will see
if/when I get around to rebuilding my existing system or a new box.
-mb
On Fri, Feb 5, 2021 at 8:18 AM Sebastian via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:
> Is anyone familiar with how to boot Ubuntu, and make grub use the key-file
> on the USB that is plugged into it?
> I'm trying to not need to type in the password on the device when it
> boots, but still have an encrypted root partition.
> If not, how do people keep drives encrypted in production environments
> when using Ubuntu? (Could answer this as well, "if so", since this is just
> my guess for what production environments use)
>
> (because this is what online searches bring)
> I do *not *mean:
> Boot from an encrypted USB.
> Decrypt and mount an encrypted volume at boot *AFTER* typing in the
> decryption password for root once already.
> Encrypt boot partition as well as root.
>
> Everything I found online was one of the above three things, or is Arch
> and doesn't apply to Ubuntu.
>
> I thought "eh, just do it the same way as Arch in boot parameters, as they
> both use grub, right?", but that didn't work...
> (cryptkey=devID:filesystem:fileLocation cryptdevice=devID:decrypt_root
> root=/dev/mapper/decrypt_root => update-grub)
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss