YKFDE_CHALLENGE= in /etc/ykfde.conf appears to not work

[GIJack]

Hi, the YKFDE_CHALLENGE= key appears to not work /etc/ykfde.conf

I am putting the exact same password to unlock it with 2FA, but with 1FA it doesn't seem to go.

edit: As in it seems to fail to authenticate. "No Key available with this passphrase"

Running latest archlinux

$ pacman -Q yubikey-full-disk-encryption yubikey-full-disk-encryption r143.2ce7aa7-1

$ pacman -Q cryptsetup cryptsetup 2.3.4-1

[Vincent43]

same challenge will result in different luks passphases in 2FA and 1FA so you have to enroll then both first. Keep note that using same challenge for 2FA make it no better than 1FA.

[GIJack]

How do you enroll 1FA, there are no instructions, just 2FA.

Here is what I am trying to do: Turn on, hit the button, and system boots.

[Vincent43]

For 1FA you need to uncomment and set YKFDE_CHALLENGE to non empty value then enroll it as instructed in README.

[Falroi]

Any value or is this something that needs to be generated?

[Vincent43]

@Falroi any value no longer than 64 characters which is yubikey limitation. It's up to you.

[NgoHuy]

very strange, I enter challenge to config, and verify it worked manually. But didnot work when booting,

[Vincent43]

@NgoHuy what happens on boot then? Did you regenerated initramfs after editing ykfde.conf? You may also enable debug mode to see more info

[NgoHuy]

@NgoHuy what happens on boot then? Did you regenerated initramfs after editing ykfde.conf? You may also enable debug mode to see more info

Sorry, I use another config for other partition, I must change file to other, or I need generate response manually and add it to encrypted partition by cryptsetup

[Vincent43]

Do you mean you have multiple encrypted partitions protected with different ykfde challenges and want to decrypt them all on boot? Such scenario isn't really supported by this project.

[NgoHuy]

Do you mean you have multiple encrypted partitions protected with different ykfde challenges and want to decrypt them all on boot? Such scenario isn't really supported by this project.

yes, I know, I must create different configs and different hooks, it worked. But ykfde-enroll only supports /etc/ykfde.conf, I must create the response as key to add manually by using cryptsetup. another way is edit main file, but edit again when done. Should we have option to point another config file?