Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi

Tutorial to create full disk encryption with YubiKey, encrypted boot partition and secure boot with UEFI
https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi

2fa arch-linux full-disk-encryption luks lvm2 secure-boot uefi yubikey

Last synced: 17 days ago
JSON representation

Tutorial to create full disk encryption with YubiKey, encrypted boot partition and secure boot with UEFI

Host: GitHub
URL: https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi
Owner: sandrokeil
Created: 2018-07-07T10:33:19.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2019-10-24T15:25:24.000Z (about 5 years ago)
Last Synced: 2024-10-10T10:11:25.317Z (about 1 month ago)
Topics: 2fa, arch-linux, full-disk-encryption, luks, lvm2, secure-boot, uefi, yubikey
Language: Shell
Homepage: https://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/
Size: 128 KB
Stars: 105
Watchers: 4
Forks: 13
Open Issues: 5
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md

Awesome Lists containing this project

README

# YubiKey Full Disk Encryption

[This repository](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi "YubiKey Full Disk Encryption Repository")
contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA)
via [YubiKey](https://yubico.com/products/yubikey-hardware/). It contains:

- YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions
- Encrypted `/boot` partition
- UEFI Secure boot (self signed boot loader)
- YubiKey authentication for user login

Currently guides for:

- Arch Linux with helper scripts

Additional security chapter:

- Disable INTEL AMT
- Disable AMD PSP

## Why
It took me several days to figure out how to set up a fully encrypted machine with 2FA. This guide should help
others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step
guide to get the above things done.

> I guess the entire manual will take between 1 - 3 hours.

## Prerequisites
You should be familiar with linux and should be able to edit files with `vi` [Vi Cheat Sheet](http://www.lagmonster.org/docs/vi.html).
You need an USB stick for the Linux Live environment and a second computer would be useful for look ups and to read this guide while
preparing your fully encrypted Linux.

And of course you will need at least **two** [YubiKeys](https://www.yubico.com/products/yubikey-hardware/ "Discover YubiKeys").

**WARNING:** You gonna get a bricked machine if you only have a single Yubikey and it breaks.

## Support this guide

- Star [this project](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi "YubiKey Full Disk Encryption Repository") on GitHub
- Spread this guide, so everyone can use it
- Help to improve this guide, [create an issue](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi/issues "Create a new issue")

## Documentation

For the latest online documentation visit [http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/](http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/ "Latest yubikey-full-disk-encryption-secure-boot-uefi documentation").
Refer the *Quick Start* section for a detailed explanation.

Documentation is [in the book tree](book/), and can be compiled using [bookdown](http://bookdown.io) or [Docker](https://www.docker.com/)

```console
$ docker run -it --rm -v $(pwd):/app sandrokeil/bookdown bookdown.json
$ docker run -it --rm -p 8080:8080 -v $(pwd):/app php:7.1-cli php -S 0.0.0.0:8080 -t /app/html
```

or run *bookdown*

```console
$ ./vendor/bin/bookdown bookdown.json
$ php -S 0.0.0.0:8080 -t html/
```

Then browse to [http://localhost:8080/](http://localhost:8080/)