Please read the disclaimer before proceeding. This solution is updated regularly. If you have suggestions or requests, please write support@kfocus.org.
Change the disk encryption password immediately after first boot. It is critical you type this carefully, remember it, and keep a copy somewhere safe because THERE IS NO WAY TO RECOVER THE DISK IF THE PASSPHRASE IS LOST! Open a terminal and enter the following:
Only one key is used for normal encryption, and two if using a YubiKey. You may see the used slots by entering the following command:
If you see more keys than expected, you may remove them. Do this carefully and make sure your data is backed-up before proceeding! In the example below, we remove a key from slot 2.
Use the luksDump command as shown above to ensure the slot has been removed.
Use the following command to add a new key:
If you purchased a pre-configured YubiKey you won’t need this except to change your password. The procedure below is based primarily on this guide and then verified on the Focus.
The default /etc/ykluks.cfg file should be fine. However, you may customize it as you see fit.
Enter your passphrase.
Modify /etc/crypttab to include the keyscript option as shown. NOTICE THE DISK UUID YOU SEE WILL BE DIFFERENT - DO NOT CHANGE IT!. Also make sure the entry is on a single line in the file, even if it wraps in the codeblock below.
Reboot and insert Yubikey on the initial passphrase screen to test your password. You should be able to use your YubiKey passphrase or your regular passphrase. We suggest you always keep the first passphrase but ensure it is long and complex. This provides a method to use the system even if you lose your Yubikey. As always, store your passphrases safely.
Kleopatra is a certificate manager and a universal crypto GUI. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers.
Secure Shell (SSH) is a versatile tool. One can use it for remote access, port forwarding, tunneling, and secure file transfers. It is supported by many graphical tools on Linux. The Dolphin file manager, for example, supports secure file transfers using sftp.
A default configuration is provided and annotated in .ssh/config for all new users. You may study it to see how to maintain constant connection and add shortcuts for specific hosts.
OpenVPN is installed to ease connection to corporate networks. However, there are many other VPN clients which we will detail as needed.
Content will be added as needed.
This is a partial revision history. See the git repository for all entries.
2021-10-10 5728326e Reformat to 2-column2021-09-22 dc862884 Update link and headline colors2021-08-23 681261b4 Review and update codeblocks2021-08-20 ca2282bf Add XE spec, Yubikey details2021-03-13 e0214298 Update Yubikey; Add autoremove advice2020-06-10 c4ed9299 Restructure layout2020-06-08 a963ce3f First publicationWe try hard to provide a useful solution validated by professionals. However, we cannot anticipate every situation, and therefore cannot guarantee this procedure will work for your needs. Always backup your data and test the solution to determine the correct procedure for you.
THIS SOLUTION IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOLUTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.