[Customer] Wants to disable 2FA LUKS unlocking
E-mail from customer:
I set up the Two-Factor Disk Unlocking.
This works very well, when the smartcard and the USB-stick with the public key is inserted and I choose the default boot.
However, if no smart card is present than I am kind of locked (eventually I do sth wrong).
Here my observations:
$sudo reboot
#Machine is rebooting
#Message: No smartcard inserted
#Ok
#Message: Your Librem Key was not detected Please insert your Librem Key
Press OK
#Core Boot Menu #Options
#Boot Options
#Ignore tapering and force a boot (Unsafe!)
#Warning: You have chosen to skip all tamper checks and boot anyway. #This is an unsafe option!
#Do you want to proceed?
Press Yes
#Choose the boot option [1-7, a to abort]: Choose 1
#Red screen starting #[...] #Please insert OpenPGP SmartCard...
Oberservation: Cannot enter regular password. Only option is to insert smart card.
#I insert the smartcard. Then: Please unlock the card
Number: xxxx xxxxxxxx Holder:
PIN
OK CANCEL
Observation: I do can enter the PIN but selecting OK nor CANCEL buttons and press Enter-Key does nothing nor do I see anything else I can do. Only Option is to reboot and go ahead with default boot and smart card and usb vault inserted. However, now I feel the risk of being locked out.
When I boot regularly and check in terminal:
$sudo cryptsetup luksDump /dev/nvme0n1p2 | grep "Key Slot"
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 3: ENABLED
/dev/nvme0n1p2 is the luks encryption of the boot device. Not sure if of any help.
---- My most important question is: How do I switch off the Two-Factor Disk Unlocking again? ----
What is wrong and how can I fix this is only second. I will also look into "https://forums.puri.sm/".
Any indication or web link will already be helpful.
I referred him to #community-heads:talk.puri.sm but thought if its something simple that I missed I can pass that along.