Hello arch forum'
I plan to move to arch til' 2 weeks but i'am looking to do a 2 form factor authentification for a LUKS encrypted system.
Actually, i have read the whole page at >https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS#Adding_Additional_Passphrases_or_Keyfiles_to_a_LUKS_Encrypted_Partition
But i dont understand if its possible to do a passphrase + keyfile strategy, by the way, if one of the both condition are not completed, the partition is unreadable/stay encrypted.
Keyfile only strategy is useless in my plan, since i need do have my laptop secured Even if someone have physical access to it.
The ideal will be to have the passphrase to enter at boot + keyfile on a USB key
It is not possible with the standard packages. The wiki describes two approaches in this part: https://wiki.archlinux.org/index.php/LU … d_Keyfiles
Plenty to read in the linked bbs threads here with great howtos by users. But since you say it will be your first Arch install, you might either want to do a regular install first or test it in a virtual machine first. This is because you will have to modify the Arch standard to get it to work.
If you know other ways for 2-way authentication for luks (e.g. implementations in other distros), please state them here.
Yeah i will try on a Vmware vm before ..
So after i read this > https://bbs.archlinux.org/viewtopic.php … 38#p943338
Tell me if i'am wrong :
1/ The drive/os is encrypted with AES256-XTS512
2/ The "Keyfile" is GPG/OpenSSL encrypted , can be stored on external media
3/ After all the change done like in the how to, i will need to enter a passphrase (longer is better) FOR the KEYFILE , then the KEYFILE will be unlocked and the encrypted contant on the OS too.
By the way, did ARCH need to put somes data to the MBR of the drive ? I'am using multi-boot system on a 940GB Crucial M5 ssd, with
1/ Windows 7 os for home
2/ Windows 7 os for work
3/ Penetration testing live CD of BT5
4/ > Encrypted OS (Arch)
I think its more likely a clean-partitoning affair but tell me if i'am wrong.
Yes to your 1,2,3 procedure. For 1: of course any encryption cipher you choose is up to you when you install it. When the key-file is unlocked, it is used by the initramfs to unlock the encrypted partition. Since you apparently have not installed this distro before, I think you should try it with a regular encrypted arch system first and add to that the encrypted key-file.
940MB SSD .. that was definitely more expensive than my whole machine here
You should read the beginner's guide and the specific pages for the bootmanagers. In general you can use any bootmanager that is capable of booting a linux distribution, or use the one's provided by Arch to let it multiboot the others.