[SOLVED] Planning a new install - opinions needed

paneves · 2019-10-18 17:52:52

Hi all:

I'm planning to do a fresh Arch install on my laptop and I have a few questions, so I'd like to read some opinions.

1 - My current setup uses 1 ext2 partition for /boot and one fat32 for /boot/efi. Now I'm planning to go with only the fat32 and mount it to /boot. Is there any drawback with this approach?
2 - Again on my current setup I have 2 luks encrypted disks. One unlocks with a passphrase at boot time, the other unlocks with a keyfile, so I only have to input a password. Now I'd like to add the possibility to also use a yubikey to unlock the system (not as a requirement, but only as a second option - I'm thinking in case my wife needs to access my laptop and doesn't have the passwords, she could just insert the yubikey and boot and login). I believe this is possible, but so far, all the info I found is related to 2FA and that's not what I want...

Any advice on how to proceed?

Thanks in advance.

Pedro

Last edited by paneves (2019-10-18 19:01:29)

jasonwryan · 2019-10-18 18:03:51

1. No.

2. LUKS allows for multiple keyslots. And your yubikey can generate a static password, but read the caveat on the wiki about this.

paneves · 2019-10-18 18:20:11

jasonwryan wrote:

2. LUKS allows for multiple keyslots. And your yubikey can generate a static password, but read the caveat on the wiki about this.

You mean this caveat?

"One of its strengths is that it can emulate a USB keyboard to send a password (OTP or static password) as text, and thus requires only USB HID drivers found on practically all computers (desktop, mobile, tablet).

This also makes it vulnerable to keyloggers if the static password functionality is used, which is why if possible one should avoid it and try to only use the one-time password (OTP), Challenge-Response and CCID Smartcard functionality. "

or this:

"A limitation of the YubiKey, however, prevents you from choosing characters that require a modifier key other than Shift. "

Or am I missing something? I though of using something like what the wiki mentions on YubiKey and LUKS encrypted partition/disk, specifically the guide at: https://github.com/agherzan/yubikey-ful … llenge-1fa

Thoughts?

Pedro

jasonwryan · 2019-10-18 18:31:28

The purported vulnrability to keyloggers.

Third party guides are unsupported here, so if you want help, stick to the wiki.

paneves · 2019-10-18 18:39:18

jasonwryan wrote:

The purported vulnrability to keyloggers.

Thanks!

jasonwryan wrote:

Third party guides are unsupported here, so if you want help, stick to the wiki.

Sure, although the link I posted (to a third party guide) was from the wiki...

Anyway, thanks a lot for your help.

All the best:

Pedro

Arch Linux

#1 2019-10-18 17:52:52

[SOLVED] Planning a new install - opinions needed

#2 2019-10-18 18:03:51

Re: [SOLVED] Planning a new install - opinions needed

#3 2019-10-18 18:20:11

Re: [SOLVED] Planning a new install - opinions needed

#4 2019-10-18 18:31:28

Re: [SOLVED] Planning a new install - opinions needed

#5 2019-10-18 18:39:18

Re: [SOLVED] Planning a new install - opinions needed

Board footer