All,
I’d like some help fixing/setting up FDE on Tumbleweed. I’m slowly trying to achieve the goal of using OS’s that are not necessarily super hardened (i.e., not Qubes) but to encrypt everything at baseline. My goal now is to have the following:
- Full disk encryption of a BTRFS partition with LUKS using the new systemd-boot available on tumbleweed, encrypted swap optional (I have 32gb of RAM and I’m testing this primarily on a gaming rig. I believe using ZRAM via systemd-zram-service is feasible for now).
- I’d like to use FIDO2 as the primary way to unlock the FDE, with password as fallback. The yubikey I have is a bit old (2020), but I have tested it and it doesn’t seem like any of the problems I encountered were due to the yubikey itself.
- I’d like to use ReaR to do full backup with OS recovery ISO. My understanding is that ReaR does not officially support openSUSE, but I was encouraged by one of the members of the project to go ahead and try it out, so we’ll see where it goes.
My latest progress is that I have tried two configurations of the initial FDE setup, following the instructions in this article: Quickstart in Full Disk Encryption with TPM and YaST2 - openSUSE News
-
Encrypted Root+Encrypted swap: this setup did not work. More specifically, I would boot, the yubikey would flash after selecting tumbleweed at the systemd boot options screen, and then I would get kicked out to an emergency shell every time. SOMETIMES, depending on if I was lucky, I would exit back out of the rescue shell, the yubikey would flash again, and then it would proceed to the gnome login screen. However other times it would give me timeout errors, and just hang indefinitely. I believe it may be related to something along the lines of this Support unlocking multiple LUKS devices with FIDO2 · Issue #23889 · systemd/systemd · GitHub. I see journalctl logs that say that I didn’t respond to the prompt quick enough, which isn’t the case (after the initial failures I basically just kept tapping the key throughout the boot process). However I think, as explained in the systemd issue, that the boot process isn’t letting the yubikey prompt again for some reason, and this only happens (inconsistently) after things get halted and restarted due to dropping to the emergency shell. Errors below, and if anyone can reproduce this and confirm the issue that would be awesome.
-
Then I tried no encrypted swap, and I believe this confirms my suspicions about the bug above. It works perfectly fine to log in with only one encrypted partition! The yubikey flashes, I touch it, and then it proceeds right to gnome after a short wait. HOWEVER, I noticed that once FIDO2 is set up there is no normal configuration where you can get the password fallback to work. I tried both having the yubikey plugged in and ignoring the prompt, which is maybe admittedly an odd scenario (it just fails to rescue shell), but I also tried booting without the yubikey at all, and it just hangs indefinitely with no password prompt. This seems like some sort of misconfiguration to me, but I can’t figure out how to configure /etc/crypttab to make this work. Token-timeout seems to have no effect on this behavior on my system…
Any help would be appreciated!
Thanks,
Chris