I’m a Debian stable user and I’m discovering Kinoite. At the moment I use a partition setup that is similar to Kinoite (UEFi, unencrypted /boot because of a French keyboard, encrypted /). The computer is used by a several users who have individual passphrases to unlock LUKS. I use individual passphrases in case I need to revoke access to a specific user without changing the passphrase for everyone else (if you have better ideas, I’m listening!).
Is it possible to add several LUKS passphrases after the installation of Kinoite? I don’t fully grasp what I can or cannot do that affects the whole system on Kinoite.
I would assume you can add LUKS passphrase as you have been doing as it’s not part of the imutable OS stuff. But I’m not a kinoite user, so I might be missing something.
Why not install kinoite in a VM and try to setup LUKS as you require?
I haven’t really tried it with Kinoite, but I don’t see how a LUKS volume should differ between RPM-based Fedora and Atomic Fedora (edit: as Barry already pointed out). You provide a passphrase and it tries to unlock the partition with the passphrase and the key slots it finds.
I expect you can simply use systemd-cryptenroll to add more key slots to your root partition.
You can check out candidate devices:
~ ❯ systemd-cryptenroll --list-devices
/dev/nvme0n1p3
/dev/disk/by-diskseq/1-part3
[more alternative paths]
And then add another key slot (adjust for your device, see the first command):
No better idea, that’s exactly what the key slots are intended for.
If your users have FIDO2 keys, you can add a user’s FIDO2 device to unlock a slot. This way, they wouldn’t have to type in a password and you can still revoke individual slots.
Oh, and for revoking slots, make sure you document which slot maps to which user, but you have probably thought about this already.
I can confirm adding additional LUKS passphrases with cryptsetup luksAddKey </dev/device> is working on Silverblue (using this setup on several systems), so it should work on Kinoite as well.
