YubiKey full disk encryption with UEFI secure boot for everyone
I've created a full disk encryption setup guide. If you complete this guide, you will have an encrypted root and home partition with YubiKey two factor authentication, an encrypted boot partition and UFEI secure boot enabled. Sounds complicated? No, it isn't!
It took me several days to figure out how to set up a fully encrypted machine with 2FA. This guide should help to get it done in some hours (hopefully). There exists a plenty bunch of tutorials. but none contains a step-by-step guide to get the following things done.
- YubiKey encrypted root (
/
) and home (/home
) folder on separated partitions - Encrypted boot (
/boot
) folder on separated partition - UEFI Secure boot with self signed boot loader
- YubiKey authentication for user login and
sudo
commands - Hooks to auto sign the kernel after an upgrade
You should be familiar with Linux and you should be able to edit files with vi/vim. You need an USB stick for the Linux Live environment and a second computer would be useful for look ups and to read this guide while preparing your fully encrypted Linux. And of course you will need an YubiKey.
Number Start (sector) End (sector) Size Code Name
1 2048 4095 1024.0 KiB EF02 BIOS boot partition
2 4096 1232895 600.0 MiB EF00 EFI System
3 1232896 2461695 600.0 MiB 8300 Linux filesystem
4 2461696 2000409230 952.7 GiB 8E00 Linux LVM
The disk partitions will look similar like above and the GRUB boot loader will ask you to unlock the boot partition with a password. After that, you will be asked to unlock the root and home partition with a password and your YubiKey device (2FA). The BIOS will be also protected by a password, otherwise UEFI secure boot can be disabled. But even if this is the case, your root and home partition will still be encrypted. This is maximum security.
At the moment there exists only a guide for Arch Linux, but it should be similar for other Linux distributions. If you want to write a guide for Debian/Ubuntu or any other Linux, don't hesitate to open an issue on GitHub or bring your pull request.
If you like this guide, please spread the word, so everyone can use it and don't forget to star this project on GitHub.