You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DEVICE=/dev/nvme0n1p3
sudo apt install -y fido2-luks
sudo systemd-cryptenroll --fido2-device=auto "${DEVICE}"# Enter required info and touch the key
sudo vi /etc/crypttab
# Replace first name with current name of the volume (/dev/mapper/<name>)
root UUID=96768932-f585-4ddd-9905-30d6db3c5e15 - fido2-device=auto
# Use dracut, because of initramfs issues
sudo apt install -y dracut
# Force update of initramfs
sudo dracut --force
Recovery if cryptsetup fails
In (initramfs) shell
cryptsetup luksOpen /dev/nvme0n1p3 root
mkdir /mnt
vgchange -ay
mount /dev/mapper/ubuntu--vg-ubuntu--lv /mnt
mount /dev/nvme0n1p2 /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot/efi
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mount --bind /dev mnt/dev
chroot /mnt
Modify issues in /etc/crypttab
update-initramfs -u or dracut --force
Sudo with Yubikey + PIN
sudo apt-get install -y libpam-u2f
sudo vi /etc/pam.d/sudo
# Add the following after current `session` lines, before @include# auth sufficient pam_u2f.so pinverification=1
Use SSH OpenPGP Keys
sudo apt install -y gnupg2 scdaemon gnupg-agent
# Add the following to shell .rc file (~/.zshrc)export GPG_TTY="$(tty)"export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
gpg-connect-agent updatestartuptty /bye > /dev/null
# Get the key and write to an identity file, might refresh the shell first..
ssh-add -L
# Copy the right key to ~/.ssh/id_yubikeyX.pub
