]>
Commit | Line | Data |
---|---|---|
1fe6d37e | 1 | # SPDX-License-Identifier: MIT-0 |
f4d74c61 | 2 | |
c2d54475 LP |
3 | # Destroy any old key on the Yubikey (careful!) |
4 | ykman piv reset | |
5 | ||
cf1e172d LP |
6 | # Generate a new private/public key pair on the device, store the public key in |
7 | # 'pubkey.pem'. | |
c2d54475 LP |
8 | ykman piv generate-key -a RSA2048 9d pubkey.pem |
9 | ||
2ccf0ff6 | 10 | # Create a self-signed certificate from this public key, and store it on the |
cf1e172d LP |
11 | # device. The "subject" should be an arbitrary user-chosen string to identify |
12 | # the token with. | |
c2d54475 LP |
13 | ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem |
14 | ||
cf1e172d LP |
15 | # We don't need the public key anymore, let's remove it. Since it is not |
16 | # security sensitive we just do a regular "rm" here. | |
c2d54475 LP |
17 | rm pubkey.pem |
18 | ||
cf1e172d LP |
19 | # Enroll the freshly initialized security token in the LUKS2 volume. Replace |
20 | # /dev/sdXn by the partition to use (e.g. /dev/sda1). | |
21 | sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn | |
22 | ||
23 | # Test: Let's run systemd-cryptsetup to test if this all worked. | |
24 | sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto | |
c2d54475 | 25 | |
cf1e172d LP |
26 | # If that worked, let's now add the same line persistently to /etc/crypttab, |
27 | # for the future. | |
7a17e41d | 28 | sudo bash -c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >>/etc/crypttab' |