You are not logged in.
Pages: 1
Hello everyone,
I have been trying to get my swap partition working with ykfde (https://github.com/agherzan/yubikey-ful … encryption). I currently have ykfde 1FA challenge response configured and working properly for my root partition. I'd like to eschew using a keyfile and use my yubikey token to decrypt everything at boot. Ideally I would use crypttab to decrypt swap but it doesn't seem there is any support for crypttab in the ykfde package as of yet.
So, following the guide on arch wiki for swap encryption with hibernation support (https://wiki.archlinux.org/index.php/Dm … sk_support) to create a hook to open the encrypted swap. So now I have a swap within a luks encrypted container with a persistent key. I have a standard memorized password in key slot 0 and I've enrolled my ykfde challenge response to key slot 1. I've tried changing the call outlined in the openswap hook from "cryptsetup open" to "ykfde-open" but this fails with "file not found" even with ykfde-open included in the binaries array in mkinitcpio.conf.
Does my goal here even make sense? I've found that many times troubleshooting my own configurations I'm often overcomplicating things and missing a simpler solution. Thanks!
Offline
/etc/initcpio/install/openswap
build ()
{
add_runscript
}
help ()
{
cat<<HELPEOF
This opens the swap encrypted partition /dev/sda2 in /dev/mapper/swapDevice
HELPEOF
}and /etc/initcpio/hooks/openswap
run_hook ()
{
ykfde-open -d /dev/sda2 -n swapDevice -v --allow-discards
}and upon ykfde hook running for root and unlocking, openswap runs and returns:
/init: line 3: ykfde-open: not foundI have tried both adding ykfde-open to the BINARIES array in mkinitcpio.conf and including "add_binary ykfde-open" after "add_runscript" in the install hook. Same result.
Offline
What does your HOOKS variable look like in /etc/mkinitcpio.conf ? Maybe the filesystem isn't ready when you run openswap.
Offline
Alright, after some work on this I finally figured it out.
As it turns out, the hook order isn't actually the issue, though I had to reorder my hooks to put my openswap right after filesystems and before resume.
As for openswap, I had to set it up like this:
# /etc/initcpio/hooks/openswap
run_hook ()
{
ykfde-open -d /dev/nvme0n1p2 -s 1 -n swapDevice
# Fallback on cryptsetup if we failed to decrypt it initially
if [ ! -e /dev/mapper/swapDevice ]; then
cryptsetup open /dev/nvme0n1p2 swapDevice
fi
}And in the install script is where the "magic" happens:
build ()
{
add_binary /usr/bin/bash
add_binary /usr/bin/cryptsetup
add_binary /usr/bin/ykinfo
add_binary /usr/bin/sha256sum
add_binary /usr/bin/awk
add_binary /usr/bin/id
add_binary /usr/bin/[
add_file /usr/bin/ykfde-open
add_runscript
}
help ()
{
cat<<HELPEOF
This opens the swap encrypted partition /dev/nvme0n1p2 in /dev/mapper/swapDevice
HELPEOF
}On my machine I'm using /dev/nvme0n1p2, you can just replace all instances of it with /dev/sda2.
This also depends on ykfde, but if you have it installed it should work.
Offline
Pages: 1