Originally posted by jjmcwill2003
View Post
Announcement
Collapse
No announcement yet.
Arch Linux Installer Preparing FIDO2 Support For Handling Disk Encryption
Collapse
X
-
- Likes 1
-
Originally posted by OneTimeShot View PostYubikeys are really cool (Linux friendly FIDO support, Smartcard support, HSM replacement, etc)... ...but I'm not sure if I trust myself to not lose it for my own systems. At the office, I'd just ask for a replacement. At home, it'd be a definite "@£$% how do I get back in now?" moment.
For backup key, I think you can deactivate and re-enroll the backup and a new one you buy, yes.
- Likes 5
Comment
-
Originally posted by jjmcwill2003 View PostSo the question is: while I possess key2, can I purchase key3 and enroll it, then put it in a safe space, and continue to use key2 as my main key?
Presumably I'd also take key1 off the list of keys that can unlock my encryption since I no longer possess that key.
- Likes 6
Comment
-
I pushed one additional PR to add PIN-support, so that should be working in the release.
As dylan pointed out, it's in a very early stage behind `--advanced` for now - but should be functioning.
Do let us know if there's anything wonky with this feature and we'll tweak it
Here's two snippets of the feature..
Locking: https://youtu.be/IY24ughIMok
Unlocking: https://youtu.be/35L54syE8II
One concern that came to mind while implementing this.
Was how quick the disk unlocks with a FIDO2-device.
I get that there's more trust here, but using something like a PCI/USB emulation tool to brute force, would this be possible?
I hope there's a mechanism that kicks in to prevent this
It also uses password enrollment, so you could use a strong password and lock that in somewhere as your backup.
Which means password + fido2 is used. Post-configuration can remove or add keys as you choose.
Anyway, enjoy the feature and keep us posted of how it works! (preferably on github byt anywhere is fine really)Last edited by Torxed; 18 May 2022, 11:44 AM.
- Likes 9
Comment
-
Originally posted by sinepgib View Post
I guess periodic backups should ease your pain in the worst case scenario that you lose both. But if we're gonna check catastrophic scenarios, maybe both your local and offsite backups died in the nuclear winter too.
For backup key, I think you can deactivate and re-enroll the backup and a new one you buy, yes.
And I don't mean for security, but for sheer convenience when having to deal with a ton of password and 2FA. I mean, these things even work with your phone over NFC!
Comment
-
Originally posted by Torxed View PostI pushed one additional PR to add PIN-support, so that should be working in the release.
As dylan pointed out, it's in a very early stage behind `--advanced` for now - but should be functioning.
Do let us know if there's anything wonky with this feature and we'll tweak it
Here's two snippets of the feature..
Locking: https://youtu.be/IY24ughIMok
Unlocking: https://youtu.be/35L54syE8II
One concern that came to mind while implementing this.
Was how quick the disk unlocks with a FIDO2-device.
I get that there's more trust here, but using something like a PCI/USB emulation tool to brute force, would this be possible?
I hope there's a mechanism that kicks in to prevent this
It also uses password enrollment, so you could use a strong password and lock that in somewhere as your backup.
Which means password + fido2 is used. Post-configuration can remove or add keys as you choose.
Anyway, enjoy the feature and keep us posted of how it works! (preferably on github byt anywhere is fine really)
Comment
-
Originally posted by luno View PostArch Linux Installer is really amazing, Arch Linux became one of the easiest distro to install with it, is there any api to install it in multiple machines ?
- Likes 6
Comment
-
Originally posted by bug77 View Post
One thing that works against you is Arch is so solid, once installed, there's rarely a need to reinstall
Edit: Maybe I need to clarify in case someone doesn't get sarcasm.. There is no easter egg.. Maybe..
There definitely is no easter egg!
Originally posted by luno View PostArch Linux Installer is really amazing, Arch Linux became one of the easiest distro to install with it, is there any api to install it in multiple machines ?
Code:archinstall --config https://domain.lan/config.json --disk-layout ... --creds ...
Code:archinstall --dry-run
You can also use the menu system to save the JSON files
You can also do:
Code:import archinstall ...
Code:archinstall --profile https://domain.lan/your_profile.py
Last edited by Torxed; 18 May 2022, 01:06 PM.
- Likes 7
Comment
-
Originally posted by bug77 View Post
Yes, that is what I was asking. Also, what happens to the keys you lose? Can they be deactivated? Because when you lose the keys to your house, you kinda have to change the locks.
I was in the unfortunate position to have lost the yubikey I use to login to my laptop (FIDO2 support setup through systemd-homed, thanks to Arch's excellent support for it) and some online services. And I couldn't buy another Yubikey for financial reason. The remedy included revoking the lost yubikey using homectl and also removing that key from the list of permitted keys for those online services, and also adding a backup 2FA usually in the form of TOTP since now I only have 1 hardware key. All services I used (homectl, Dropbox, Google, my bank and Github just to name a few) allowed the adding & removing of keys, once authenticated using password + some form of 2FA. Overall it wasn't more complicated than if a password were to be compromised.Last edited by bzs0; 18 May 2022, 12:18 PM.
- Likes 4
Comment
Comment