Arch Linux User Repository

To build this package you need to install one of the following: linux-headers: if you are using Arch's kernel linux-lts-headers: if you are using Arch's LTS kernel

NEWS: I've created a new article in the Arch Wiki: Self-Encrypting Drives (SED) https://wiki.archlinux.org/index.php/Self-Encrypting_Drives_(SED) (note; the link comes out broken here, don't click - copy & paste the whole line) It specifically covers usage of sedutil. I've tried making it as complete as I could, but it needs review. Discuss at this forum thread: https://bbs.archlinux.org/viewtopic.php?pid=1611886 (+ at the article's talk page) Thanks everyone!

I've been wanting to create a wiki page explaining how all this is setup but haven't gotten around to it yet. The package installs sedutil, the pba program that is used in the upstream pba images and a few arch specific scripts and configuration files. You will need to configure your console keymap properly [1] (this was my main motivation, you can pick your own keymap), edit /etc/linuxpba/linuxpba.conf and configure it to your liking (the comments there should explain what each option does), create a keyring file at /etc/linuxpba/keyring.luks and then create the pba images with mklinuxpba-bios. mklinuxpba-bios calls mklinuxpba-initramfs to generate the initramfs and then mklinuxpba-bios used the current linux and pba initramfs to create the pba image. I had a draft text file with rough instructions on how to configure the keyring but I can't find it right now :( I'll point you to the pages I've looked into to make this work. It is the same procedure as described here [2], and for enrolling your yubikey I have done it in a very similar way to this project [3]. In my case I've done all the steps manually (look inside the yubikey-luks-enroll script near the end). The difference from [2] is that you have to zero your luks device and then echo your admin1 password to the luks device. You might want to refer to the wiki on how to configure and boot a luks encrypted root with the key on a usb drive as the procedure is the same, specifically this [4]. The options KFNAME, KFSKIP and KFSIZE map to device, offset and size. If I manage to find the text file with rough instructions I'll drop it here, but I'm afraid I might have to start writing it from scratch. [1] https://wiki.archlinux.org/index.php/Keyboard_configuration_in_console [2] https://wiki.gentoo.org/wiki/Custom_Initramfs#Encrypted_keyfile [3] https://github.com/cornelinux/yubikey-luks [4] https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#cryptkey Edit: I found the file :) This assumes three keys will be used, one in a sd card, one in a usb flash drive and a yubikey. truncate -s 1053184 keyring.luks #for luks default config truncate -s 2068992 keyring.luks #for luks -c aes-xts-plain64 -h sha512 -s 512 Use one of the following two: cryptsetup --align-payload=1 --use-random --key-file sdcard_luks_key -i 2000 luksFormat keyring.luks cryptsetup --align-payload=1 --use-random -c aes-xts-plain64 -h sha512 -s 512 --key-file sdcard_luks_key -i 2000 luksFormat keyring.luks cryptsetup --key-file sdcard_luks_key luksAddKey keyring.luks flash_luks_key cryptsetup --key-file sdcard_luks_key luksAddKey keyring.luks yubikey_luks_key cryptsetup --key-file sdcard_luks_key open --type luks keyring.luks keyring dd if=/dev/zero of=/dev/mapper/keyring echo your_admin1_password > /dev/mapper/keyring cryptsetup close keyring Put your keyring.luks in /etc/linuxpba and run mklinuxpba-bios. Don't forget to test your pba image before committing it to the SSD.

Hey you answered to my request over on SEdutils github page for wanting yubikey support and explained how your custom scripted pba works. I have compiled the package. But I am not clear on exactly what its going to install? Is it simply the custom pba image and sedutil program? The reason I ask is in my specific situation I have to actually flash the pba image from a rescue/bootable flash drive. I can not run the sedutil program from inside the os. Now I have a rescue disk I created from the msed program. I made a few changes so I could add all the pba images. This basically gives me a standalone install utility tool so I can push whatever pba I want directly from the syslinux recovery flash drive. I understand I need to install the yubikey personalaztion tool package to setup the yubikey for C&R etc of course. But I am not entirely clear on what I have to do to setup the luks locked file with the PWD I am sealing in it? Since I am having to do it from a syslinux busybox setup am I needing to do it from that syslinux setup? Again thanks for any help you may be able to give me.

@crepererum You are correct. I don't have a UEFI machine to test so I'm not going to claim to support something I can't test properly. It shouldn't be too hard to adapt the mklinuxpba-bios script for uefi, but like I said it needs proper testing. From what I've been told some (older) firmwares are a bit picky about the uefi partition, there is also the matter of secure boot that I would need to try for myself, at least so that instructions can be put on a wiki page of how to make things work. You can find bios and uefi images here [1] but I suppose they support only password input and the keyboard layout is set to US. [1] https://github.com/Drive-Trust-Alliance/exec

Am I right assuming that this only works for a BIOS-driven boot and not for UEFI boot procedures?