I have a backup of my Yubikey private key (I use it in smart card mode), so it is all technically recoverable. I think I am just overly paranoid of locking myself out of everything. Gotta remember how to do all of the above at the moment where everything is on fire, of course... The smart card/FIDO tools they provide are great, though... and just work everywhere with no hassle

I guess periodic backups should ease your pain in the worst case scenario that you lose both. But if we're gonna check catastrophic scenarios, maybe both your local and offsite backups died in the nuclear winter too.

For backup key, I think you can deactivate and re-enroll the backup and a new one you buy, yes.

yes!

yes!

I pushed one additional PR to add PIN-support, so that should be working in the release.
As dylan pointed out, it's in a very early stage behind `--advanced` for now - but should be functioning.
Do let us know if there's anything wonky with this feature and we'll tweak it

Here's two snippets of the feature..
Locking: https://youtu.be/IY24ughIMok
Unlocking: https://youtu.be/35L54syE8II

One concern that came to mind while implementing this.
Was how quick the disk unlocks with a FIDO2-device.
I get that there's more trust here, but using something like a PCI/USB emulation tool to brute force, would this be possible?
I hope there's a mechanism that kicks in to prevent this

It also uses password enrollment, so you could use a strong password and lock that in somewhere as your backup.
Which means password + fido2 is used. Post-configuration can remove or add keys as you choose.

Anyway, enjoy the feature and keep us posted of how it works! (preferably on github byt anywhere is fine really)

Well then, it looks like good spent $50-60. Though I'm assuming the backup isn't free.

And I don't mean for security, but for sheer convenience when having to deal with a ton of password and 2FA. I mean, these things even work with your phone over NFC!

One thing that works against you is Arch is so solid, once installed, there's rarely a need to reinstall

Arch Linux Installer is really amazing, Arch Linux became one of the easiest distro to install with it, is there any api to install it in multiple machines ?

Sort of. You can provide a pre-populated configuration file, so you don't have to select any values, you can have a non-interactive installation. You also have the option to have a profile based on the machine's MAC address, although this is less common, and I haven't personally tested it.

Haha, wait until you find our easter egg that erases random files every third moon when the tide is high and all cars are parked at the same time!

Edit: Maybe I need to clarify in case someone doesn't get sarcasm.. There is no easter egg.. Maybe..
There definitely is no easter egg!


To build on what dylan said:
You can generate these by:
Which will abort right before formatting takes place, but generates the JSON files under /var/log/archinstall/.
You can also use the menu system to save the JSON files
You can also do:
And write your own installer or just a profile, which you can load with:
I really need to document this hehe.

I see. And thanks for the clarification jjmcwill2003

I was in the unfortunate position to have lost the yubikey I use to login to my laptop (FIDO2 support setup through systemd-homed, thanks to Arch's excellent support for it) and some online services. And I couldn't buy another Yubikey for financial reason. The remedy included revoking the lost yubikey using homectl and also removing that key from the list of permitted keys for those online services, and also adding a backup 2FA usually in the form of TOTP since now I only have 1 hardware key. All services I used (homectl, Dropbox, Google, my bank and Github just to name a few) allowed the adding & removing of keys, once authenticated using password + some form of 2FA. Overall it wasn't more complicated than if a password were to be compromised.