On Fri, 07 Dec 2018 09:51:45 +0100 "Aaron Digulla" <digulla@hepe.com> wrote:
On Thursday, December 06, 2018 22:52 CET, Bob Williams <usenet@karmasailing.uk> wrote:
Can anyone point me to an idiot's guide to using a Yubikey Neo? For example, I'd like to set it up so that my laptop won't boot unless the key is inserted in a USB slot.
You will need to find a solution how GRUB can load the necessary code from an encrypted partition to access the Yubikey so it can use it to decrypt the partition in the first place.
The reason for this is that GRUB can't add arbitrary amounts of code to the initial boot (i.e. the part which will mount the boot partition). After the boot partition is available, more code can be loaded. That's the reason why you get a US English keyboard with GRUB when using an encrypted boot partition.
The first soltution is to use an unencrypted partition for GRUB itself. That means anyone with access to the laptop can see what OS and version is installed. In this case, only the system and data partitions are encrypted.
The second solution is to use an encrypted boot partition which isn't protected by Yubikey. You will have to type in a password to be able to start GRUB. Afterwards, GRUB can load the Yubikey code and use that to mount the other partitions.
As for "idiot's guide to set up Yubikey", then I'm looking for that as well. Anyone?
Regards,
Thanks to all who've replied. It's slightly reassuring to know that other's find this as obscure as me. -- Bob Williams System: Linux 4.19.2-1.g8adee6e-default Distro: Desktop: KDE Frameworks: 5.45.0, Qt: 5.9.4 and Plasma: 5.12.5