1 # Make sure no one can read the files we generate but us
4 # Destroy any old key on the Yubikey (careful!)
7 # Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'.
8 ykman piv generate-key
-a RSA2048
9d pubkey.pem
10 # Create a self-signed certificate from this public key, and store it on the
11 # device. The "subject" should be an arbitrary string to identify the token in
12 # the p11tool output below.
13 ykman piv generate-certificate
--subject "Knobelei" 9d pubkey.pem
15 # Check if the newly create key on the Yubikey shows up as token in PKCS#11. Have a look at the output, and
16 # copy the resulting token URI to the clipboard.
19 # Generate a (secret) random key to use as LUKS decryption key.
20 dd if=/dev
/urandom of
=plaintext.bin bs
=128 count
=1
22 # Encode the secret key also as base64 text (with all whitespace removed)
23 base64
< plaintext.bin |
tr -d '\n\r\t ' > plaintext.base64
25 # Encrypt this newly generated (binary) LUKS decryption key using the public key whose private key is on the
26 # Yubikey, store the result in /etc/cryptsetup-keys.d/mytest.key, where we'll look for it during boot.
27 mkdir
-p /etc
/cryptsetup-keys.d
28 sudo openssl rsautl
-encrypt -pubin -inkey pubkey.pem
-in plaintext.bin
-out /etc
/cryptsetup-keys.d
/mytest.key
30 # Configure the LUKS decryption key on the LUKS device. We use very low pbkdf settings since the key already
31 # has quite a high quality (it comes directly from /dev/urandom after all), and thus we don't need to do much
32 # key derivation. Replace /dev/sdXn by the partition to use (e.g. sda1)
33 sudo cryptsetup luksAddKey
/dev
/sdXn plaintext.base64
--pbkdf=pbkdf2
--pbkdf-force-iterations=1000
35 # Now securely delete the plain text LUKS key, we don't need it anymore, and since it contains secret key
36 # material it should be removed from disk thoroughly.
37 shred -u plaintext.bin plaintext.base64
39 # We don't need the public key anymore either, let's remove it too. Since this one is not security
40 # sensitive we just do a regular "rm" here.
43 # Test: Let's run systemd-cryptsetup to test if this all worked. The option string should contain the full
44 # PKCS#11 URI we have in the clipboard; it tells the tool how to decipher the encrypted LUKS key. Note that
45 # systemd-cryptsetup automatically searches for the encrypted key in /etc/cryptsetup-keys.d/, hence we do
46 # not need to specify the key file path explicitly here.
47 sudo systemd-cryptsetup attach mytest
/dev
/sdXn
- 'pkcs11-uri=pkcs11:…'
49 # If that worked, let's now add the same line persistently to /etc/crypttab, for the future.
50 sudo bash
-c 'echo "mytest /dev/sdXn - \'pkcs11-uri=pkcs11:…\'" >> /etc/crypttab'