diff options
| author | Lennart Poettering <lennart@poettering.net> | 2019-11-04 19:36:47 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2019-12-09 19:25:25 +0100 |
| commit | c2d54475c4313bed04d1894491ab3c63463f3687 (patch) | |
| tree | 5b61b04c82b74ba7f290650f08c3cab5703bb8fd /man/yubikey-crypttab.sh | |
| parent | cryptsetup: add native pkcs#11 support to cryptsetup (diff) | |
| download | systemd-c2d54475c4313bed04d1894491ab3c63463f3687.tar.xz systemd-c2d54475c4313bed04d1894491ab3c63463f3687.zip | |
man: document pkcs#11 hookup in /etc/crypttab
Diffstat (limited to 'man/yubikey-crypttab.sh')
| -rw-r--r-- | man/yubikey-crypttab.sh | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/man/yubikey-crypttab.sh b/man/yubikey-crypttab.sh new file mode 100644 index 0000000000..b7e8ee686f --- /dev/null +++ b/man/yubikey-crypttab.sh @@ -0,0 +1,45 @@ +# Make sure noone can read the files we generate but us +umask 077 + +# Destroy any old key on the Yubikey (careful!) +ykman piv reset + +# Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'. +ykman piv generate-key -a RSA2048 9d pubkey.pem + +# Create a self-signed certificate from this public key, and store it on the device. +ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem + +# Check if the newly create key on the Yubikey shows up as token in PKCS#11. Have a look at the output, and +# copy the resulting token URI to the clipboard. +p11tool --list-tokens + +# Generate a (secret) random key to use as LUKS decryption key. +dd if=/dev/urandom of=plaintext.bin bs=128 count=1 + +# Encode the secret key also as base64 text (with all whitespace removed) +base64 < plaintext.bin | tr -d '\n\r\t ' > plaintext.base64 + +# Encrypt this newly generated (binary) LUKS decryption key using the public key whose private key is on the +# Yubikey, store the result in /etc/encrypted-luks-key.bin, where we'll look for it during boot. +openssl rsautl -encrypt -pubin -inkey pubkey.pem -in plaintext.bin -out /etc/encrypted-luks-key.bin + +# Configure the LUKS decryption key on the LUKS device. We use very low pbkdf settings since the key already +# has quite a high quality (it comes directly from /dev/urandom after all), and thus we don't need to do much +# key derivation. +cryptsetup luksAddKey /dev/sda1 plaintext.base64 --pbkdf=pbkdf2 --pbkdf-force-iterations=1000 + +# Now securely delete the plain text LUKS key, we don't need it anymore, and since it contains secret key +# material it should be removed from disk thoroughly. +shred -u plaintext.bin plaintext.base64 + +# We don't need the public key anymore either, let's remove it too. Since this one is not security +# sensitive we just do a regular "rm" here. +rm pubkey.pem + +# Test: Let's run systemd-cryptsetup to test if this all worked. The option string should contain the full +# PKCS#11 URI we have in the clipboard, it tells the tool how to decypher the encrypted LUKS key. +systemd-cryptsetup attach mytest /dev/sda1 /etc/encrypted-luks-key.bin 'pkcs11-uri=pkcs11:…' + +# If that worked, let's now add the same line persistently to /etc/crypttab, for the future. +echo "mytest /dev/sda1 /etc/encrypted-luks-key 'pkcs11-uri=pkcs11:…' >> /etc/crypttab |