]>
Commit | Line | Data |
---|---|---|
86b52a39 | 1 | # Make sure no one can read the files we generate but us |
c2d54475 LP |
2 | umask 077 |
3 | ||
4 | # Destroy any old key on the Yubikey (careful!) | |
5 | ykman piv reset | |
6 | ||
7 | # Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'. | |
8 | ykman piv generate-key -a RSA2048 9d pubkey.pem | |
9 | ||
2ccf0ff6 LP |
10 | # Create a self-signed certificate from this public key, and store it on the |
11 | # device. The "subject" should be an arbitrary string to identify the token in | |
12 | # the p11tool output below. | |
c2d54475 LP |
13 | ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem |
14 | ||
15 | # Check if the newly create key on the Yubikey shows up as token in PKCS#11. Have a look at the output, and | |
16 | # copy the resulting token URI to the clipboard. | |
17 | p11tool --list-tokens | |
18 | ||
19 | # Generate a (secret) random key to use as LUKS decryption key. | |
20 | dd if=/dev/urandom of=plaintext.bin bs=128 count=1 | |
21 | ||
22 | # Encode the secret key also as base64 text (with all whitespace removed) | |
2ccf0ff6 | 23 | base64 < plaintext.bin | tr -d '\n\r\t ' > plaintext.base64 |
c2d54475 LP |
24 | |
25 | # Encrypt this newly generated (binary) LUKS decryption key using the public key whose private key is on the | |
6e41f4dd LP |
26 | # Yubikey, store the result in /etc/cryptsetup-keys.d/mytest.key, where we'll look for it during boot. |
27 | mkdir -p /etc/cryptsetup-keys.d | |
28 | sudo openssl rsautl -encrypt -pubin -inkey pubkey.pem -in plaintext.bin -out /etc/cryptsetup-keys.d/mytest.key | |
c2d54475 LP |
29 | |
30 | # Configure the LUKS decryption key on the LUKS device. We use very low pbkdf settings since the key already | |
31 | # has quite a high quality (it comes directly from /dev/urandom after all), and thus we don't need to do much | |
2ccf0ff6 LP |
32 | # key derivation. Replace /dev/sdXn by the partition to use (e.g. sda1) |
33 | sudo cryptsetup luksAddKey /dev/sdXn plaintext.base64 --pbkdf=pbkdf2 --pbkdf-force-iterations=1000 | |
c2d54475 LP |
34 | |
35 | # Now securely delete the plain text LUKS key, we don't need it anymore, and since it contains secret key | |
36 | # material it should be removed from disk thoroughly. | |
37 | shred -u plaintext.bin plaintext.base64 | |
38 | ||
39 | # We don't need the public key anymore either, let's remove it too. Since this one is not security | |
40 | # sensitive we just do a regular "rm" here. | |
41 | rm pubkey.pem | |
42 | ||
43 | # Test: Let's run systemd-cryptsetup to test if this all worked. The option string should contain the full | |
6e41f4dd LP |
44 | # PKCS#11 URI we have in the clipboard; it tells the tool how to decipher the encrypted LUKS key. Note that |
45 | # systemd-cryptsetup automatically searches for the encrypted key in /etc/cryptsetup-keys.d/, hence we do | |
46 | # not need to specify the key file path explicitly here. | |
47 | sudo systemd-cryptsetup attach mytest /dev/sdXn - 'pkcs11-uri=pkcs11:…' | |
c2d54475 LP |
48 | |
49 | # If that worked, let's now add the same line persistently to /etc/crypttab, for the future. | |
6e41f4dd | 50 | sudo bash -c 'echo "mytest /dev/sdXn - \'pkcs11-uri=pkcs11:…\'" >> /etc/crypttab' |