feat(luks): add LUKS section

ci: push tag
Co-authored-by: Gemini <gemini@google.com>
2026-02-14 21:57:12 +01:00 · 2026-02-14 02:33:16 +01:00 · 2026-02-14 02:19:20 +01:00 · 2026-02-14 02:18:49 +01:00 · 2026-02-14 02:09:05 +01:00 · 2026-02-14 02:07:44 +01:00
2 changed files with 57 additions and 5 deletions
--- a/.github/workflows/build-release.yaml
+++ b/.github/workflows/build-release.yaml
@@ -7,7 +7,7 @@ on:
      - main
    paths:
      - '**.md'
-      - '.gitea/workflows/**'
+      - '.github/workflows/**'
      - 'md-pdf.ron'
 jobs:
@@ -61,10 +61,19 @@ jobs:
          echo "tag=$NEW_TAG" >> $GITHUB_OUTPUT
          echo "Next version : $NEW_TAG"
      - name: Push Tag
        run: |
          git config user.name "Gitea Actions"
          git config user.email "actions@gitea.local"
          git tag ${{ steps.version.outputs.tag }}
          git push origin ${{ steps.version.outputs.tag }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # Create release and upload PDF
      # Note: softprops works very well on recent Gitea
      - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v1
        if: ${{ steps.version.outputs.tag != '' }} # Safety check
        with:
          tag_name: ${{ steps.version.outputs.tag }}
--- a/README.md
+++ b/README.md
@@ -1,14 +1,11 @@
 ---
 title: "PIS"
 subtitle: "Policy for Internal Security"
 #logo: "path/to/logo.png"
 author: "Rémi Heredero "
 language: "en"
 tags: ["gpg", "ssh", "x509", "YubiKey", "security"]
 toc: false
 template: "simple"
 #date: "2026-01-23"
 #version: "0.0.1"
 ---
 # Policy for Internal Security
@@ -206,6 +203,52 @@ ssh-keygen -D /usr/lib64/libykcs11.so.2 \
 ```
 This creates the file `id_ed25519_sk-keyring-cert.pub` that is the certificate to use for authentication. 
 ---
 # LUKS
 It's possible to add a Yubikey as a second option to unlock a LUKS partition.
 The first step is to find the encrypted partition.
 ```bash
 lsblk
 ```
 `nvme1n1p3` is the encrypted partition in my case.
 ## Enroll
 Add a new way to unlock the partition with the YubiKey. This add a FIDO device, not replace the password way. You can still unlock the partition with the password if you forget the YubiKey.
 This step have to be done for each Yubikey you want to use to unlock the partition.
 ```bash
 sudo systemd-cryptenroll --fido2-device=auto /dev/nvme1n1p3
 ```
 Actual passphrase is requested, then Yubikey Fido2 PIN, then you have to touch it 2 time to confirme presence.
 ## Config `/etc/crypttab`
 This step have to be only once.
 Backup and edit crypttab
 ```bash
 sudo cp /etc/crypttab /etc/crypttab.bak
 sudo nano /etc/crypttab
 ```
 Add `,fido2-device=auto` (without any space) at the end of the line that describe the encrypted partition. It should look like that at the end: 
 ```
 luks-1234... UUID=1234... none discard,fido2-device=auto
 ```
 ## Re-Generate initramfs
 This step have to be only once.
 After enrolling the YubiKey, you need to re-generate the initramfs to be able to unlock the partition at boot time.
 ```bash
 sudo dracut -f
 ```
 ---
 # Troubleshooting
Author	SHA1	Message	Date
Klagarge	4ce9cc1fb0	feat(luks): add LUKS section All checks were successful Build PDF & Release / release (push) Successful in 1m41s Details	2026-02-14 21:57:12 +01:00
Klagarge	0f0ba243d5	ci: push tag All checks were successful Build PDF & Release / release (push) Successful in 1m37s Details Co-authored-by: Gemini <gemini@google.com>	2026-02-14 02:33:16 +01:00
Klagarge	03031b5ca8	chores: remove unused metadata Some checks failed Build PDF & Release / release (push) Failing after 1m35s Details	2026-02-14 02:19:20 +01:00
Klagarge	07a101488b	ci: fix path	2026-02-14 02:18:49 +01:00
Klagarge	69d6a42f5c	chores: add version All checks were successful Build PDF & Release / release (push) Successful in 1m39s Details	2026-02-14 02:09:05 +01:00
Klagarge	d85f72fc92	ci: fix release version Co-authored-by: Gemini <gemini@google.com>	2026-02-14 02:07:44 +01:00