From 8fc9e0dcce0f9e87756cdcd7caa8f3b6c1c68681 Mon Sep 17 00:00:00 2001 From: Shimun Date: Thu, 26 Sep 2019 15:57:16 +0200 Subject: [PATCH] extended readme --- README.md | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 323df22..5c502bc 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # fido2luks -This will allow you to unlock your luks encrypted disk with an fido2 compatable key +This will allow you to unlock your luks encrypted disk with an fido2 compatible key Note: This has only been tested under Fedora 30 using a Solo Key @@ -43,14 +43,22 @@ sudo make install ### Grub -Add `rd.luks.2fa=:` to `GRUB_CMDLINE_LINUX` +Add `rd.luks.2fa=:` to `GRUB_CMDLINE_LINUX` in /etc/default/grub -Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks addkey` +Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks add-key` ``` grub2-mkconfig > /boot/grub2/grub.cfg ``` +I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system + +``` +mkdir /boot/fido2luks/ +cp /usr/bin/fido2luks /boot/fido2luks/ +cp fido2luks.conf /boot/fido2luks/ +``` + ## Test Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header: @@ -61,3 +69,15 @@ cryptsetup luksHeaderBackup /dev/disk/by-uuid/ --header-backup-file l #There is no turning back if you mess this up, make sure you made a backup fido2luks -i add-key --exclusive /dev/disk/by-uuid/ ``` + +## Removal + +Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub + +``` +set -a +. fido2luks.conf +sudo -E fido2luks -i replace-key /dev/disk/by-uuid/ + +sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf +```