YubiKey Full Disk Encryption

This repository contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA) via YubiKey. It contains:

• YubiKey encrypted root (/) and home (/home) folder on separated partitions
• Encrypted /boot partition
• UEFI Secure boot (self signed boot loader)
• YubiKey authentication for user login

Currently guides for:

• Arch Linux with helper scripts

Additional security chapter:

• Disable INTEL AMT
• Disable AMD PSP

Why

It took me several days to figure out how to set up a fully encrypted machine with 2FA. This guide should help others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step guide to get the above things done.

I guess the entire manual will take between 1 - 3 hours.

Prerequisites

You should be familiar with linux and should be able to edit files with vi Vi Cheat Sheet. You need an USB stick for the Linux Live environment and a second computer would be useful for look ups and to read this guide while preparing your fully encrypted Linux.

And of course you will need at least two YubiKeys.

WARNING: You gonna get a bricked machine if you only have a single Yubikey and it breaks.

Support this guide

• Star this project on GitHub
• Spread this guide, so everyone can use it
• Help to improve this guide, create an issue

Documentation

For the latest online documentation visit http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/. Refer the Quick Start section for a detailed explanation.

Documentation is in the book tree, and can be compiled using bookdown or Docker

$ docker run -it --rm -v $(pwd):/app sandrokeil/bookdown bookdown.json
$ docker run -it --rm -p 8080:8080 -v $(pwd):/app php:7.1-cli php -S 0.0.0.0:8080 -t /app/html

or run bookdown

$ ./vendor/bin/bookdown bookdown.json
$ php -S 0.0.0.0:8080 -t html/

Then browse to http://localhost:8080/