Some years ago, I had a client with a really fucked up set of requirements:

• Must run Gentoo Linux. (No, I don’t know why. But it was written into the project specs and everybody who had to sign off did.)
• Must use LUKS for FDE.
• Login (loosely interpreted as “booting up”) must have MFA.

This was during the days when booting into a LUKS encrypted Gentoo install involved copy-and-pasting a shell script out of the Gentoo wiki and adding it to the initrd. I want to say late 2006 or early 2007.

I remember creating a /boot partition, a tiny little LUKS partition (512 megs, at most) after it, and the rest of the drive was the LUKS encrypted root partition. The encrypted root partition had a randomly generated keyfile as its unlocker; it was symmetrically encrypted using gnupg and a passphrase before being stored in the tiny partition. The tiny partition had a passphrase to unlock it. gnupg was in the initrd. I think the workflow went something like this:

• System boots up.
• Script in the initrd prompted the user for the passphrase for the tiny LUKS partition. (first authentication step)
• User entered passphrase.
• Script in the initrd unlocked the tiny partition and prompted the user for the passphrase to decrypt the root partition’s keyfile stored therein.
• User entered the symmetric passphrase for keyfile. (second authentication step_
• Script used the passphrase to decrypt the keyfile to stdout, piped into an evocation of cryptsetup to unlock the root partition.
• /dev/mapper/root mounted, /boot mounted, boot process continued.
• User logged into the box.

I don’t miss those days.