Merge pull request #285 from hadjilucasL/fixup-fde-flow

Updates to Full Disk Encryption with TPM2 blog post based on latest run.
openSUSE · Nov 19, 2024 · e846307 · e846307
2 parents c11ba0b + fc042ff
commit e846307
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/_posts/2024/2024-09-20-quickstart-fde-yast2.md b/_posts/2024/2024-09-20-quickstart-fde-yast2.md
@@ -60,13 +60,19 @@ Boot new system
 * Login
 * Enroll system:
   * With TPM2 chip: `sdbootutil enroll --method tpm2`
-  * With FIDO2 key: `sdbootutil enroll --method fido2`
+  * With FIDO2 key: `sdbootutil enroll --method fido2` 
+* Make a note of the recovery pin. If you receive a `keyctl_set_timeout permission denied` error with the above commands, 
+  try executing them within a root user shell (e.g. `sudo bash`) versus using `sudo sdbootutil enroll ..`.
 * Optional, but recommended:
   * Upgrade your LUKS key derivation function (do that for every encrypted device listed in `/etc/crypttab`):
   ```
           # cryptsetup luksConvertKey /dev/vdaX --pbkdf argon2id
           # cryptsetup luksConvertKey /dev/vdaY --pbkdf argon2id
   ```
+  If `/etc/crypttab` indicates devices with a `UUID=..` instead of `/dev/..` then use the syntax:
+  ```
+          # cryptsetup luksConvertKey UUID=.. --pbkdf argon2id
+  ``` 
 
 ## Adjusting kernel boot parameters