I'm trying to understand the principle of operation, but there are some gaps in my understanding.
Please correct me if I'm wrong
1: Joe Average might not understand the config options for ykfde because LUKS key slots are not exactly obvious after default setup (maybe Fedora makes it too easy?)
Suggested doc edit: add a sentence or two about LUKS keys before explaining configs.
E.g.: LUKS keeps disk encryption key internally but allows up to 8 slots to be configured so different users could unlock the disk with different passphrases. ykfde generates the key from Yubikey [+ user's passphrase (optional)]
Followup question: why should ykfde be limited to a specific slot? Default LUKS will try all slots with the given passphrase until one unlocks or all of them fail. Why not do the same thing?
2: In ykfde, "2nd factor" seems to mean a passphrase.. that's kind of confusing to a new user.
Suggested doc edit: change mentions of "2nd factor" to "ykfde passphrase".
3: It's not immediately obvious that main purpose of "ykfde" executable is to generate a new challenge and update the LUKS slot passphrase.
Suggest adding a sentence to --help description (since there's no man page).
3.5: Non-2nd factor mode is basically same thing as 2nd factor, but using a blank passphrase.
Suggest removing mention of 2nd factor from config file. Instead, it's easier to simply ask the user for a passphrase on every run of ykfde (if interactive shell is detected) -- and allow it to be entered as blank. If no interactive shell detected or using a switch (e.g. "-no-passphrase") then use no-passphrase mode.
I'm trying to understand the principle of operation, but there are some gaps in my understanding. Please correct me if I'm wrong
1: Joe Average might not understand the config options for ykfde because LUKS key slots are not exactly obvious after default setup (maybe Fedora makes it too easy?)
Suggested doc edit: add a sentence or two about LUKS keys before explaining configs. E.g.: LUKS keeps disk encryption key internally but allows up to 8 slots to be configured so different users could unlock the disk with different passphrases. ykfde generates the key from Yubikey [+ user's passphrase (optional)]
Followup question: why should ykfde be limited to a specific slot? Default LUKS will try all slots with the given passphrase until one unlocks or all of them fail. Why not do the same thing?
2: In ykfde, "2nd factor" seems to mean a passphrase.. that's kind of confusing to a new user.
Suggested doc edit: change mentions of "2nd factor" to "ykfde passphrase".
3: It's not immediately obvious that main purpose of "ykfde" executable is to generate a new challenge and update the LUKS slot passphrase. Suggest adding a sentence to --help description (since there's no man page).
3.5: Non-2nd factor mode is basically same thing as 2nd factor, but using a blank passphrase.
Suggest removing mention of 2nd factor from config file. Instead, it's easier to simply ask the user for a passphrase on every run of ykfde (if interactive shell is detected) -- and allow it to be entered as blank. If no interactive shell detected or using a switch (e.g. "-no-passphrase") then use no-passphrase mode.