Skip to content

Arch Linux LUKS configuration

Jump to bottom
Michael Cordover edited this page Jan 16, 2021 · 6 revisions

So you want to have a second factor protecting your disk encryption key. Cool! I do that and it's great. It's also relatively easy to set up.

  1. Backup your LUKS header. Right now. Go on, I'll wait. Seriously, this step is important.

  2. Install the khefin AUR package, or run make release mkinitcpio && sudo make install to install khefin and the initcpio hooks.

  3. Enrol your primary authenticator device: khefin enrol -d /dev/hidraw0 -f /tmp/0-primary-authenticator.

  4. Enrol your secondary authenticator device: khefin enrol -d /dev/hidraw0 -f /tmp/1-secondary-authenticator. You have a secondary device, right?

  5. Make backups of those files. That should be easy, given you just made a backup of your LUKS header.

  6. Run khefin-add-luks-key /tmp/0-primary-authenticator /dev/your-encrypted-disk -v and then khefin-add-luks-key /tmp/1-secondary-authenticator /dev/your-encrypted-disk -v to add new keyslots for your authenticator-protected files.

  7. Copy the files created in steps 3 and 4 to /boot/keyfiles, or some other static location. They need to be in their own directory. I'd recommend changing their owner to root, and setting permissions to 400.

  8. In /etc/mkinitcpio.conf:

    • add khefin to HOOKS, noting that this must be before encrypt and after udev; and
    • optionally, set keyfiles_source_dir to the directory containing your keyfiles (this defaults to keyfiles_source_dir=/boot/keyfiles).

  9. Run mkinitcpio -c /etc/mkinitcpio.conf -g /tmp/initcpio to make sure your initcpio was can be generated successfully. Run lsinitcpio /tmp/initcpio and make sure that your keyfiles, khefin and libfido2 are included.

  10. Run sudo mkinitcpio -P to regenerate your initcpio.

That's it!

There are a few other options you can set - see mkinitcpio -H khefin for more information.

You can optionally remove your existing keyslot, so you can't use your regular passphrase anymore. I'd recommend having at least one passphrase-only keyslot, with a very long passphrase written down somewhere. This is a good backup in case your authenticators are damaged. Definitely test your primary and backup before killing any keyslot.

Clone this wiki locally