Setting up trezor on arch

· ranguna's blog

First attempt #

  1. Connect trezor to your machine;
  2. Go to trezor.io/start;
  3. Download the AppImage and set it as executable chmod +x downloaded-trezor.AppImage;
  4. Run the app;
  5. App is saying that things aren't properly configured :(

Installing the udev rules #

Either through an aur package or install them manually:

Trying the app again #

  1. Plug your trezor on your machine. Make sure the USB-C is correctly plugged into your trezor, you need to make a bit of force for it to snap into place;
  2. Run the app;
  3. Analytics prompt:
    1. Whatever you want, I disabled it because "How you use the Suit" is too broad.
  4. Install the firmware;
    1. Your trezor will display the installation process with a pie/round loading bar;
    2. After the installation is done, the device will restart.
  5. Setup your hardware. At time of writing these are the steps, they might be different for you, just follow the on-screen instructions:
    1. Setup your seed;
    2. Setup your PIN;
    3. Setup your crypto;
    4. Done.

2FA #

Gitlab #

  1. Login to gitlab.com;
  2. Got to User > Edit profile/Preferences > Account;
  3. Two-factor authentication > Manage;
  4. Register WebAuthn Device;
  5. Accept the trezor prompt;
  6. Sign out;
  7. Login again;
  8. Accept the trezor prompt;
  9. Done!

Github #

  1. Login to github.com;
  2. Got to settings > Password and authentication > Two-factor authentication > Security keys > Add;
  3. Go through your existing 2fa flow;
  4. Go to Security keys > Register new security key;
  5. Accept your trezor prompt;
  6. Sign out;
  7. Login again;
  8. Click "Use security key" > "use this method for future logins";
  9. Click "User security key" green button;
  10. Accept the trezor prompt;
  11. Done!

Passwordless login #

Placeholder:

Initial Setup #

  1. https://wiki.archlinux.org/title/Universal_2nd_Factor#Authentication_for_Arch_Linux
    1. Install the require packages: sudo pacman -Syu pam-u2f;
    2. Create the directory for your keys: mkdir ~/.config/Trezor;
    3. Setup your key: pamu2fcfg -o pam://HOSTNAME -i pam://HOSTNAME > ~/.config/Trezor/u2f_keys:
      • You could potentially save this on a different path, but I'll follow the arch guide for now;
      • I'm not sure, but I'm guessing the hostname here doesn't really matter and maybe you can use whatever you want, as long as you follow the same name thought the configs. Maybe it's even better to have different keys for different pam modules?

PAM #

  1. Edit your pam config for sudo:
    1. Open /etc/pam.d/sudo;
    2. Add the following line:
      • auth sufficient pam_u2f.so cue origin=pam://HOSTNAME appid=pam://HOSTNAME authfile=/home/YOUR_USERAME/.config/Trezor/u2f_keys.
    3. Save.
  2. Open a new terminal and run a sudo command;
  3. Done!

Login on tty #

  1. Edit your pam config for local login:
    1. Open /etc/pam.d/system-local-login;
    2. Add the following line:
      • auth sufficient pam_u2f.so nouserok origin=pam://hostname appid=pam://hostname authfile=/home/YOUR_USERAME/.config/Trezor/u2f_keys.
    3. Save.
  2. Change to a different tty and login;
  3. Done!

LUKS unlock #

Placeholders:

There are a ton of guides online on how to do this. This guide in specific will focus on existing setups using LUKS on the root partition with a unencrypted boot partition, with no LVM or any additional layers of volume abstraction.

Existing setup before applying the passwordless configuration #
base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck

mkinitcpio

cryptdevice=UUID=MY_PARTITION_UUID:cryptroot root=/dev/mapper/cryptroot

(empty)

$ lsblk
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1       259:0    0 400.4G  0 disk  
├─nvme0n1p1   259:4    0   200G  0 part  
│ └─cryptroot 254:0    0   200G  0 crypt /
└─nvme0n1p2   259:5    0   350M  0 part  /boot

LUKS header information
Version:       	2
Epoch:         	7
Metadata area: 	xxx [bytes]
Keyslots area: 	xxx [bytes]
UUID:          	MY_PARTITION_UUID
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: xxx [bytes]
	length: (whole device)
	cipher: xxx
	sector: xxx [bytes]

Keyslots:
  0: luks2
	Key:        xxx bits
	Priority:   xxx
	Cipher:     xxx
	Cipher key: xxx bits
	PBKDF:      argon2id
	Time cost:  x
	Memory:     xxx
	Threads:    x
	Salt:       xxx
	AF stripes: xxx
	AF hash:    sha256
	Area offset:xxx   [bytes]
	Area length:xxx   [bytes]
	Digest ID:  0

Tokens:

Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: xxx
	Salt:       xxx
	Digest:     xxx
Applying the passwordless configuration #

Before making any changes, make sure you have backed up your LUKS header and know how to restore it. Search for luks restore luksHeaderBackup keywords online for more info. Also, make sure you backup your existing /etc/mkinitcpio.conf and /etc/default/grub. If you mess something up, you can boot into a live arch linux usb and recover from there.

  1. Connect and unlock your trezor;
  2. Enroll your trezor into luks:
    1. systemd-cryptenroll --fido2-device=auto PARTITION.
  3. (optional) Make a recovery key:
    1. systemd-cryptenroll --recovery-key PARTITION.
  4. Change the necessary modules in /etc/mkinitcpio.conf:
    1. In HOOKS:
      1. Replace udev with systemd;
      2. Replace encrypt with sd-encrypt.
  5. Change /etc/default/grub with the necessary kernel options:
    1. Remove luks configuration from GRUB_CMDLINE_LINUX_DEFAULT and/or GRUB_CMDLINE_LINUX, things like:
      1. cryptdevice=UUID=PARTITION_UUID:cryptroot root=/dev/mapper/DEC_PARITION_NAME.
  6. Update /etc/crypttab.initramfs with the new config line (create the file if it doesn't exist):
    1. DEC_PARITION_NAME UUID=PARTITION_UUID none luks,discard,fido2-device=auto,keyfile-timeout=30
      1. Additional info about each column:
        1. DEC_PARITION_NAME: the rootname you had in /etc/default/grub;
        2. PARTITION_UUID: the uuid of the encrypted partition you had in /etc/default/grub;
        3. none: the password, we are going to use trezor in this case;
        4. list of options.
  7. Regenerate your grub config and mkinitcpio images:
    1. grub: grub-mkconfig -o GRUB_CFG_PATH;
    2. mkinitcpio: mkinitcpio -P.
  8. Reboot;
  9. Done!
Setup after applying the passwordless configuration #
base systemd autodetect keyboard keymap consolefont modconf block sd-encrypt filesystems fsck

(none)

DEC_PARITION_NAME       UUID=PARTITION_UUID       none luks,discard,fido2-device=auto,keyfile-timeout=30

(no difference)

NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1       259:0    0 400.4G  0 disk
├─nvme0n1p1   259:4    0   200G  0 part
│ └─cryptroot 254:0    0   200G  0 crypt /
└─nvme0n1p2   259:5    0   350M  0 part  /boot

(only showing the difference)

Tokens:
  0: systemd-fido2
	fido2-credential:
	            xxx
	fido2-salt: xxx
	fido2-rp:   io.systemd.cryptsetup
	fido2-clientPin-required:
	            false
	fido2-up-required:
	            true
	fido2-uv-required:
	            false
	Keyslot:    1
   1: systemd-recovery
	Keyslot:    2
Props #
  1. https://bbs.archlinux.org/viewtopic.php?id=265134
  2. https://www.guyrutenberg.com/2022/02/17/unlock-luks-volume-with-a-yubikey/
  3. https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

SSH keys for git #

Placeholder:

  1. Generate your new ssh key pair:
    1. ssh-keygen -t ecdsa-sk -O application=ssh:EMAIL;
    2. Type a password if you want;
    3. Choose the path to your key pair (henceforth referred as PATH_TO_PRIVATE for the path of the private key).
  2. Add your public key to your git host, the public key can be found alongside PATH_TO_PRIVATE, it should be the same file name with a .pub extension;
  3. Modify your existing local entry for your git host in ~/.ssh/config:
    1. Change or add IdentityFile PATH_TO_PRIVATE.
  4. Do a git command that requires authentication, like git fetch;
  5. Done!
Props #
  1. https://wiki.trezor.io/SSH

GPG for git #

Placeholder:

  1. Install trezor agent pip3 install trezor_agent;
  2. Initialize trezor gpg trezor-gpg init "Username <your@email.com>" -v:
    1. Type a passphrase if you want.
  3. List your newly created key:
  4. GNUPGHOME=~/.gnupg/trezor gpg2 --list-secret-keys --keyid-format=long:
  5. Copy the key ID from sec nistp256/GPG_KEY_ID 1970-01-01 [SC];
  6. Export it with GNUPGHOME=~/.gnupg/trezor gpg2 --armor --export GPG_KEY_ID
  7. Past that key into your git hoster.
  8. From now on, you'll have to tell git to use trezor gpg folder instead of the default one. This can be a bit messy because, as of the time of writing, you cannot mix trezor keys and other keys in the same folder as it will throw errors. Since we only want to use these keys in git for now, we can alias git to user trezor's gpg folder:
    1. Add the following to .bash_aliases:
      1. alias git='GNUPGHOME=~/.gnupg/trezor git'.
  9. Update git to use the new gpg key:
    1. git config --global user.signingkey GPG_KEY_ID.
  10. Refresh your terminal;
  11. Commit something;
  12. Done.
Using multiple GPG identities #

From what I could understand, each folder inside ~/.gnupg/* generated by trezor can only hold one identity, so if you want to use multiple identities, you'll have to use different paths:

  1. Initialize trezor gpg with a different home path trezor-gpg init "New Username <your@newemail.com>" --homedir ~/.gnupg/new-identity:
    1. Type a passphrase if you want.
  2. Follow the steps from the previous section to add the new key to your git hoster, keep in mind that you'll have to use the path to your new identity:
    1. GNUPGHOME=~/.gnupg/new-identity gpg2 --list-secret-keys --keyid-format=long;
  3. Follow the steps above to add the new identity key to git, overwriting the kye locally for each repo if needed:
    1. setting the key on the current repo only: git config user.signingkey GPG_KEY_ID.
Git in vscode #

Vscode ignores aliases and uses a direct path to the git binary, meaning that the alias we created before is not used. To go around this, we'll have to point vscode to our own git that uses trezor's gpg folder.

  1. Create an sh file anywhere on your system with the following contents: 
    1#!/bin/sh
2
3GNUPGHOME=~/.gnupg/trezor git "$@"
  2. Make it executable: chmod +x PATH_TO_FILE;
  3. Add the following to your global vscode settings.json file: 
    1"git.path": "PATH_TO_FILE",
  4. Restart vscode;
  5. Done!

You can optionally change the git alias we created before to point to the sh file we created above.

If you want to use multiple identities, you'll have to create a new sh file for each identity, pointing to the correct gpg home folder and change the vscode setting above every time you want to use a different identity.

The path to git cannot be changed in each project due to a vscode limitation #98517, a feature request was opened #163116.

Another option is to not use vscode to commit, but use the terminal (or any other application that respects aliases) instead.

Props #
  1. https://wiki.trezor.io/GPG

Addendum #

  1. Added a section on how to use multiple GPG identities;
  2. Fixed usage of multiple gpg identities in vscode;
  3. Added steps to use new gpg keys in git.