Bug#1059745: ITP: cryptsetup-2fa -- 2FA plugin for cryptsetup
Guilhem Moulin <guilhem@debian.org> 于2023年12月31日周日 21:23写道:
>
> Hi,
>
> On Sun, 31 Dec 2023 at 18:49:30 +0800, YunQiang Su wrote:
> > 2 mthods are supported for 2 FA:
> > - Yubikey Challenge
> > - TPM2 Keypair
>
> If your concern is to make these work with cryptsetup-initramfs, there
> are #1023700 and #1031254 open against src:cryptsetup. The plan is to
I tried some methods before I write this script, and I also tried dracut.
Yes, dracut works well with cryptsetup-initramfs.
The problem for me is that none of these ways, can work with suspend.
I mean that when the PC resumes from suspend, I wish that the disk is
encrypted instead of decrypted.
In fact, hibernate is an option for me, but currently, Linux kernel cannot
support hibernate if crypt disk is used.
> have that in trixie. Did you check if the solutions proposed there
> cover your use case? Otherwise, IMHO a wishlist bug against
> src:cryptsetup would be better than using a separate source package.
>
If this scripts can be accepted into src:cryptset, I will be very glad to
help it happen.
Yes, I noticed cryptsetup-suspend does in src:cryptsetup, while
src:yubikey-luks is a seperate source package.
I tried src:yubikey-luks, while it leaks some features, and upstream
seems not active now.
https://github.com/cornelinux/yubikey-luks/pull/92
> > PIN-less is also supported, if the PINs are present in
> > /etc/cryptsetup/2fa.conf.
>
> I'm not really thrilled to see /etc/cryptsetup (and /lib/cryptsetup)
> used outside src:cryptsetup. These directories are not documented as
> drop-in.
>
> --
> Guilhem.
Reply to: