This repository contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA) via YubiKey. It contains:
- YubiKey encrypted
root (/)andhome (/home)folder on separated partitions - Encrypted
/bootpartition - UEFI Secure boot (self signed boot loader)
- YubiKey authentication for user login
Currently guides for:
- Arch Linux with helper scripts
Additional security chapter:
- Disable INTEL AMT
- Disable AMD PSP
It took me several days to figure out how to set up a fully encrypted machine with 2FA. This guide should help others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step guide to get the above things done.
I guess the entire manual will take between 1 - 3 hours.
You should be familiar with linux and should be able to edit files with vi Vi Cheat Sheet.
You need an USB stick for the Linux Live environment and a second computer would be useful for look ups and to read this guide while
preparing your fully encrypted Linux.
And of course you will need at least two YubiKeys.
WARNING: You gonna get a bricked machine if you only have a single Yubikey and it breaks.
- Star this project on GitHub
- Spread this guide, so everyone can use it
- Help to improve this guide, create an issue
For the latest online documentation visit http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/. Refer the Quick Start section for a detailed explanation.
Documentation is in the book tree, and can be compiled using bookdown or Docker
$ docker run -it --rm -v $(pwd):/app sandrokeil/bookdown bookdown.json
$ docker run -it --rm -p 8080:8080 -v $(pwd):/app php:7.1-cli php -S 0.0.0.0:8080 -t /app/htmlor run bookdown
$ ./vendor/bin/bookdown bookdown.json
$ php -S 0.0.0.0:8080 -t html/Then browse to http://localhost:8080/