Yubikey Linux FDE UEFI Secure Boot tutorial

YubiKey Full Disk Encryption

Tutorial to create full disk encryption with YubiKey, encrypted boot partition and secure boot with UEFI, using Arch Linux.

This repository contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA) via YubiKey. It contains:

+ YubiKey encrypted root (/) and home (/home) folder on separated partitions
+ Encrypted /boot partition
+ UEFI Secure boot (self signed boot loader)





A collection of brief guides for installing Arch Linux with LUKS full disk encryption over a UEFI based system. While I was further exploring the linux universe seeking the answer to the meaning of life, I met a challenge of never matched difficulty: full disk encryption using LUKS over a UEFI based system. Many are the guides available on the web but none of them fullfilled my thirst for knowledge, as some were for older non-GPT installs or a bit too vague for a first time approach of the argument. Therefore, here I share with you what I’ve learned during my journey… BTRFS as well!


CHIPSEC in BlackArch Linux

It has been in there for a while, but I don’t think I’ve seen an announcement.


So you can use LUV-live to use CHIPSEC in a batch mode, or you can use BlackArch live to use CHIPSEC in an interactive mode.

PS: Kali status:

CrowdStrike on building secure burner laptops

Morgan Marquis-Boire posted a pointer to this advise from CrowdStrike on how to build a ‘burner laptop’, for hostile environments. The Arch Linux-based system uses a very interesting configuration, such as embedding GRUB onto the SPI FLash, for the root of trust.

Excerpt from introduction of readme:

A Reasonably Secure Travel Laptop Setup

This repository contains auxiliary scripts and configurations around building a reasonably secure travel laptop using coreboot with a GRUB2 payload. The scripts and configurations have been tested with an ArchLinux setup but should be adaptable to other distributions easily. A reasonably secure travel laptop following the approach laid out here will boot only a signed kernel and initrd and assure user-space integrity with a dm-verity protected root filesystem. If you require confidentiality, it is additionally recommended encrypted the entire filesystem or use a separate, encrypted /home partition. Building coreboot and GRUB2 for your target laptop and flashing the appropriate image is out of the scope of this repository’s contents and documentation. You can find more information on the coreboot Wiki.


Full article: