Yubikey Recommendations

[julie-de-ville]

I have never used a yubikey before, but I have one and want to integrate it into my boot process. Do you have any documentation you would recommend for going about this, specifically on gentoo? I see that there is a section on the docs configuration page, but I was hoping to find advice on the initial disk setup and encryption.

[desultory]

the easiest way (imo) is to use the openpgp module, this guide should help: https://wiki.gentoo.org/wiki/YubiKey/GPG

see also: https://support.yubico.com/s/article/Using-Your-YubiKey-with-OpenPGP https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#prepare-gnupg

I'd recommend using the version on the gentoo wiki when it's back up, I think it should be simple and only have the required steps. There are a few ways you can manage gpg keys on a yubikey, but I think it's best to keep the certification key off the device and well protected, then you can "keytocard" the keys you generate on your system to send them to the yubikey
once you do that, you can encrypt your keyfile with yourself as the recipient (like gpg -r [email protected] -e /path/to/key > key.gpg)

You can either add this key to your luks header before encrypting it, or do something like decrypt it into a fifo/named pipe for use with cryptsetup (I think this is on the wiki for the full disk encryption article but the wiki is down rn)

Once you do this, you can set the key type to gpg in ugrd and add the public key:

https://github.com/desultory/ugrd/blob/main/examples/yubikey.toml#L19-L21

[desultory]

Thank you! Also, if I am using btrfs in lvm in luks, will it still automatically detect the settings and enable the modules, or what do I have to configure beforehand?

yeah the filesystem side of all of this should be automatically detected, but you'll have to manually configure the key file and public key file info

[julie-de-ville]

Thank you! Also, I was wondering if you could help me out with getting hibernation support. This time, I am using a swap partition in an lvm in a luks container. I edited /etc/default/uefi-mkconfig to change the cmdline, and added ugrd.fs.resume to ugrd.conf

KERNEL_CONFIG="%entry_id %linux_name Linux %kernel_version ; cmdline=quiet splash resume=UUID=a7c1577e-c606-47c6-8049-3b6256c9519b

And when generating the initramfs, it appears to use the resume function, but when I try echo disk /sys/power/state I get an error saying -bash: echo: write error: Function not implemented. Trying echo > /sys/power/resume returns permission denied.

[julie-de-ville]

I am using a distribution kernel, if that matters

[desultory]

Thank you! Also, I was wondering if you could help me out with getting hibernation support. This time, I am using a swap partition in an lvm in a luks container. I edited /etc/default/uefi-mkconfig to change the cmdline, and added ugrd.fs.resume to ugrd.conf

KERNEL_CONFIG="%entry_id %linux_name Linux %kernel_version ; cmdline=quiet splash resume=UUID=a7c1577e-c606-47c6-8049-3b6256c9519b

And when generating the initramfs, it appears to use the resume function, but when I try echo disk /sys/power/state I get an error saying -bash: echo: write error: Function not implemented. Trying echo > /sys/power/resume returns permission denied.

encrypted resume is not fully supported, there is a good discussion about it here: https://forums.gentoo.org/viewtopic-t-1176040-highlight-.html

when running that kernel, do you see the file there? and I think that depends on the disk being defined and present, is that UUID correct and showing up in /sys/power/resume?

[julie-de-ville]

The UUID is correct. I have also tried specifying the UUID for root btrfs partition and root subvolume. /sys/power/resume does not exist, and when I try to echo my swap partition to it I get "permission denied."

Does it matter whether I am identifying them by their mapped names vs UUIDs? In my fstab they are defined by the mapped names.

I saw an issue page about it, and that there is a workaround by creating a config for resume in the ugrd etc directory, but no luck.

Also I just noticed in the ugrd log
INFO | No initramfs fstab found, skipping mount_fstab. If non-root storage devices are not needed at boot, this is fine.
could that be preventing it from finding the swap partition?