Vincent43

How rotating LUKS password helps you when you store header on AEGIS? What's the point of using yubikey at all then? I think that your ideas described here are fine...

Challenge is stored in clear available to anyone. If someone has access to yubikey, the response and at least half of luks passphrase is avalaible . That means it works...

Challenge is stored alongside encrypted disk so it doesn't count as a factor. Without access to this data everything is pointless. Having yubikey is enough to get correct response. Changing...

You may try enabling debug mode by removing `#` from https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde.conf#L53 then regenerate mkinitcpio If I understand correctly you have encrypted /boot and unencrypted /boot/efi - how do you copy...

If you enable debug mode as I suggested above then you may see some messages on your screen during boot which could help understanding what's going on. Keeping yubikey inserted...

> I noticed that ykfde DOES unlock my drive, after boot, I see the ykfde hook at the start of the linux boot cycle, right after I select my OS...

> Setting DBG=1 and regenerating the unified kernel image did not reveal anything interesting. Are there any messages at all? Could you upload a photo? Could you show your /etc/ykfde.conf?...

Since you have /boot encrypted and don't have access to initramfs on early boot its grub which asks for your password first and grub doesn't support yubikey unlocking. After you...

Note that I specifically wrote _/boot_ **not** _boot partition_. On your system `/boot` and `/boot/efi` are on different partitions - the former is encrypted and the latter not. Initramfs are...

It would be enough to change mountpoint of efi partition from /boot/efi to /boot. You also need to reinstall all kernels and grub.