From fc042ff0699db069e44ded1410d054d4b49f785a Mon Sep 17 00:00:00 2001
From: Lucas <scrabble80@gmail.com>
Date: Sun, 10 Nov 2024 17:29:58 +0000
Subject: [PATCH] Update blog post based on running this from scratch on Nov
 2024.

---
 _posts/2024/2024-09-20-quickstart-fde-yast2.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/_posts/2024/2024-09-20-quickstart-fde-yast2.md b/_posts/2024/2024-09-20-quickstart-fde-yast2.md
index 44bb336e..a2cf0c2c 100644
--- a/_posts/2024/2024-09-20-quickstart-fde-yast2.md
+++ b/_posts/2024/2024-09-20-quickstart-fde-yast2.md
@@ -60,13 +60,19 @@ Boot new system
 * Login
 * Enroll system:
   * With TPM2 chip: `sdbootutil enroll --method tpm2`
-  * With FIDO2 key: `sdbootutil enroll --method fido2`
+  * With FIDO2 key: `sdbootutil enroll --method fido2` 
+* Make a note of the recovery pin. If you receive a `keyctl_set_timeout permission denied` error with the above commands, 
+  try executing them within a root user shell (e.g. `sudo bash`) versus using `sudo sdbootutil enroll ..`.
 * Optional, but recommended:
   * Upgrade your LUKS key derivation function (do that for every encrypted device listed in `/etc/crypttab`):
   ```
           # cryptsetup luksConvertKey /dev/vdaX --pbkdf argon2id
           # cryptsetup luksConvertKey /dev/vdaY --pbkdf argon2id
   ```
+  If `/etc/crypttab` indicates devices with a `UUID=..` instead of `/dev/..` then use the syntax:
+  ```
+          # cryptsetup luksConvertKey UUID=.. --pbkdf argon2id
+  ``` 
 
 ## Adjusting kernel boot parameters