]>
Commit | Line | Data |
---|---|---|
c2d54475 LP |
1 | # Make sure noone can read the files we generate but us |
2 | umask 077 | |
3 | ||
4 | # Destroy any old key on the Yubikey (careful!) | |
5 | ykman piv reset | |
6 | ||
7 | # Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'. | |
8 | ykman piv generate-key -a RSA2048 9d pubkey.pem | |
9 | ||
2ccf0ff6 LP |
10 | # Create a self-signed certificate from this public key, and store it on the |
11 | # device. The "subject" should be an arbitrary string to identify the token in | |
12 | # the p11tool output below. | |
c2d54475 LP |
13 | ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem |
14 | ||
15 | # Check if the newly create key on the Yubikey shows up as token in PKCS#11. Have a look at the output, and | |
16 | # copy the resulting token URI to the clipboard. | |
17 | p11tool --list-tokens | |
18 | ||
19 | # Generate a (secret) random key to use as LUKS decryption key. | |
20 | dd if=/dev/urandom of=plaintext.bin bs=128 count=1 | |
21 | ||
22 | # Encode the secret key also as base64 text (with all whitespace removed) | |
2ccf0ff6 | 23 | base64 < plaintext.bin | tr -d '\n\r\t ' > plaintext.base64 |
c2d54475 LP |
24 | |
25 | # Encrypt this newly generated (binary) LUKS decryption key using the public key whose private key is on the | |
26 | # Yubikey, store the result in /etc/encrypted-luks-key.bin, where we'll look for it during boot. | |
2ccf0ff6 | 27 | sudo openssl rsautl -encrypt -pubin -inkey pubkey.pem -in plaintext.bin -out /etc/encrypted-luks-key.bin |
c2d54475 LP |
28 | |
29 | # Configure the LUKS decryption key on the LUKS device. We use very low pbkdf settings since the key already | |
30 | # has quite a high quality (it comes directly from /dev/urandom after all), and thus we don't need to do much | |
2ccf0ff6 LP |
31 | # key derivation. Replace /dev/sdXn by the partition to use (e.g. sda1) |
32 | sudo cryptsetup luksAddKey /dev/sdXn plaintext.base64 --pbkdf=pbkdf2 --pbkdf-force-iterations=1000 | |
c2d54475 LP |
33 | |
34 | # Now securely delete the plain text LUKS key, we don't need it anymore, and since it contains secret key | |
35 | # material it should be removed from disk thoroughly. | |
36 | shred -u plaintext.bin plaintext.base64 | |
37 | ||
38 | # We don't need the public key anymore either, let's remove it too. Since this one is not security | |
39 | # sensitive we just do a regular "rm" here. | |
40 | rm pubkey.pem | |
41 | ||
42 | # Test: Let's run systemd-cryptsetup to test if this all worked. The option string should contain the full | |
43 | # PKCS#11 URI we have in the clipboard, it tells the tool how to decypher the encrypted LUKS key. | |
2ccf0ff6 | 44 | sudo systemd-cryptsetup attach mytest /dev/sdXn /etc/encrypted-luks-key.bin 'pkcs11-uri=pkcs11:…' |
c2d54475 LP |
45 | |
46 | # If that worked, let's now add the same line persistently to /etc/crypttab, for the future. | |
2ccf0ff6 | 47 | sudo bash -c 'echo "mytest /dev/sdXn /etc/encrypted-luks-key \'pkcs11-uri=pkcs11:…\'" >> /etc/crypttab' |