Unified Kernel Image

https://wiki.archlinux.org/title/Unified_kernel_image

Create or edit /etc/kernel/cmdline as follows. I have changed the default crypt volumes mapping names. Ensure it has no rd.luks.* or luks.* parameters.

lang=en_US keytable=es tz=Europe/Madrid misobasedir=manjaro misolabel=MANJARO_SWAY_2204 quiet loglevel=3 systemd.show_status=auto rd.udev.log_level=3 bgrt_disable systemd.show_status=1 driver=nonfree nouveau.modeset=0 i915.modeset=1 radeon.modeset=1 root=/dev/mapper/root resume=/dev/mapper/swap

Now in order to not decrypt twice the volumes. Keep the decryption key stored on /crypto_keyfile.bin. And the /etc/crypttab as follows.

# <name>               <device>                         <password> <options>
root UUID=<UUID>	/crypto_keyfile.bin	luks
swap UUID=<UUID>	/crypto_keyfile.bin	luks

And create a /etc/cripttab.initramfs with the following content.

# <name>    <device>    <password>  <options>
root	UUID=<UUID>	-	fido2-device=auto
swap	UUID=<UUID>	-	fido2-device=auto

This will prompt at boot for tapping the yubikey twice. Once for root and another for swap. For this, maybe the swap can use the TPM device and avoid this second tap.

Info

This process needs to be automated with kernel-install. But TBD.

https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/

# cat /efi/loader/entries/linux.conf 
title      Main Linux
efi      /d69576c40a5a4ffba3a27a4666411e3b/Linux/linux.efi