Skip to content

Comments

Refine deferred disk encryption and passphrase handling#1726

Merged
brianmcgillion merged 2 commits intotiiuae:mainfrom
vunnyso:vs-YubikeyFDE
Feb 11, 2026
Merged

Refine deferred disk encryption and passphrase handling#1726
brianmcgillion merged 2 commits intotiiuae:mainfrom
vunnyso:vs-YubikeyFDE

Conversation

@vunnyso
Copy link
Collaborator

@vunnyso vunnyso commented Feb 4, 2026
edited
Loading

Description of Changes

This commit introduces several refinements to the deferred disk encryption process, focusing on robustness, passphrase handling and control over LUKS slot management.

In debug image, the default passphrase for encryption has been standardized to "ghaf", addressing limitations with empty passphrases in systemd-cryptenroll.

Fixed resize issue with release-installer when disk encryption is used.

User can enroll with either TPM2 or FIDO2 and the Yubikey can be utilized for both disk encryption and user account management.

Below table shows key enrolment difference:

PR Mainline
[ghaf@ghaf-host:~]$ sudo systemd-cryptenroll /dev/nvme0n1p3
SLOT TYPE
0 password
1 tpm2
2 recovery		 [ghaf@ghaf-host:~]$ sudo systemd-cryptenroll /dev/nvme0n1p3
SLOT TYPE
0 password

By default tpm2 will be enabled.

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. PR functionality is available with installer only, when used with -e option.

       sudo ghaf-installer -e

  2. User can change to fido2 by modifying default = "fido2" in disk-encryption using that Yubikey can be used both to disk encryption and user account management.

  3. When using fido2, user need to confirm presence by tapping on the Yubikey once encryption is complete, as illustrated below.
    image

  4. Test tpm2 and fido2 functionality with debug and release images when disk encryption is used.

Enrolment Debug Image Release Image
fido2 Need to tap on Yubikey on every boot to unlock disk Need to tap on Yubikey and enter encryption password
tpm2 System will boot automatically without user interaction Need to enter TPM PIN and encryption password

@vunnyso vunnyso marked this pull request as ready for review February 4, 2026 15:00
@milva-unikie

This comment was marked as outdated.

Sign in to view
@vunnyso vunnyso added the Needs Testing CI Team to pre-verify label Feb 6, 2026
mbssrc
mbssrc reviewed Feb 10, 2026
View reviewed changes
@vunnyso @brianmcgillion
Refine deferred disk encryption and passphrase handling
f7e34ac 
This commit introduces several refinements to the deferred
disk encryption process, focusing on robustness, passphrase
handling and control over LUKS slot management.

In debug image, the default passphrase for encryption has
been standardized to "ghaf", addressing limitations with
empty passphrases in `systemd-cryptenroll`.

User can enroll with either TPM2 or FIDO2 and the
Yubikey can be utilized for both disk encryption and
user account management.

Signed-off-by: Vunny Sodhi <vunny.sodhi@unikie.com>
@vunnyso @brianmcgillion
fix(postboot): prompt for password in release installer
14130f4 
List of changes:
- Use systemd-ask-password for passphrase prompting
- Retry LUKS resize until successful
- Run post-boot script via boot.postBootCommands
- Update extendbtrfs service dependencies
- Fix screen text wrapping issue.

Signed-off-by: Vunny Sodhi <vunny.sodhi@unikie.com>
@brianmcgillion brianmcgillion merged commit 6e68cd6 into tiiuae:main Feb 11, 2026
31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbssrc mbssrc mbssrc approved these changes

@brianmcgillion brianmcgillion brianmcgillion approved these changes

Assignees

No one assigned

Labels

Needs Testing CI Team to pre-verify

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vunnyso @milva-unikie @brianmcgillion @mbssrc