The first-run wizard will encourage your to change your disk encryption passphrase on the first sign-in if the passphrase matched the default. Whenever you change the password, type it carefully and keep a copy somewhere safe because THERE IS NO WAY TO RECOVER THE DISK IF THE PASSPHRASE IS LOST!
Only one key is used for normal encryption, and two if using a YubiKey. You may see the used slots by entering the following command:
If you see more keys than expected, you may remove them.
Do this carefully and make sure your data is backed-up before proceeding! In the example below, we remove a key from slot 2.
luksDump command as shown above to ensure the slot has been removed.
Use the following command to add a new key:
If you purchased a pre-configured YubiKey you won’t need this except to change your password. The YubiKey documentation may be found at here.
Insert the YubiKey into a USB slot. The center LED should flash once. It will not stay illuminated. As you use the key, the LED will flash under other circumstances.
/etc/ykluks.cfg file should be fine. However, you may customize it as you see fit.
Enter your passphrase.
/etc/crypttab to include the
keyscript option as shown. IMPORTANT! THE DISK UUID YOU SEE WILL BE DIFFERENT - DO NOT CHANGE IT! Also make sure the entry is on a single line in the file, even if it wraps in the codeblock below.
You can verify or recover the UUID by using
lsblk --fs |grep 'crypto_LUKS' and then using the uuid of the correct volume. The partion for standard installations is typically
Reboot and insert Yubikey on the initial passphrase screen to test your password. You should be able to use your YubiKey passphrase or your regular passphrase. We suggest you always keep the first passphrase but ensure it is long and complex. This provides a method to use the system even if you lose your Yubikey. As always, store your passphrases safely.
Kleopatra is a certificate manager and a universal crypto GUI. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers.
Secure Shell (SSH) is a versatile tool. One can use it for remote access, port forwarding, tunneling, and secure file transfers. Many graphical tools support SSH. For example, the Dolphin file manager, can use
SFTP for secure file transfers.
A default configuration is provided and annotated in
.ssh/config for all new users. You may study it to see how to maintain constant connection and add shortcuts for specific hosts.
OpenVPN is installed to ease connection to Virtual Private Networks used by many organizations. There are also many other VPN clients which are available.
Content will be added as needed.
This is a partial revision history. See the
git repository for all entries.
2022-07-25 37da0b4fEnhance Yubikey directions
2021-10-10 5728326eReformat to 2-column
2021-09-22 dc862884Update link and headline colors
2021-08-23 681261b4Review and update codeblocks
2021-08-20 ca2282bfAdd XE spec, Yubikey details
2021-03-13 e0214298Update Yubikey; Add autoremove advice
2020-06-10 c4ed9299Restructure layout
2020-06-08 a963ce3fFirst publication
We try hard to provide a useful solution validated by professionals. However, we cannot anticipate every situation, and therefore cannot guarantee this procedure will work for your needs. Always backup your data and test the solution to determine the correct procedure for you.
THIS SOLUTION IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOLUTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.