2FA and 1FA & crypttab

[sniper7kills]

First off I just want to say amazing package; thank you so much for configuring this!

Secondly; I have a handful of encrypted drives, I wanted to inquire if it was possible to decrypt more than just the root drive while booting by setting an option in /etc/crypttab file to use the yubifde package instead of prompting for a password.

Finally I wanted to inquire if it is possible to use both 2FA and 1FA depending on the drive.
I.E. ideally I would like my / partition to be 2FA, but then have my /home partition automatically decrypted using 1FA and a password stored on my / partition instead of a password stored in the config.

Again Love the package, thank you!

[agherzan]

Hey. We haven't explored that level of flexibility yet. Mainly because this hasn't been a use case for us. I'd say that at this point the fastest option would be to try to look into it and maybe send a PR.

[Vincent43]

For /etc/crypttab support and decrypting multiple devices we would need to add systemd compatible hook.

[Vincent43]

Alternatively you can try to copy ykfde hook as ykfde-home and add both to mkinitcpio then adjust YKFDE_LUKS_DEV, YKFDE_DISK_UUID, YKFDE_LUKS_NAME, YKFDE_CHALLENGE, YKFDE_CHALLENGE_PASSWORD_NEEDED by appending suffix -HOME to them inside ykfde-home then add them with relevant values to /etc/ykfde.conf.

[hughwilliams94]

Just to say, I've tried this ykfde-home solution and it works pretty well apart from having to enter my challenge password twice during startup. Can you think of any way that I'd be able to use manual mode for both devices but only have to enter my password once?

[Vincent43]

There is no easy way to achieve that. One option is to write systemd-compatible hook, the other add something like decrypt_keyctl script.