projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 1fe6d37e | 1 | # SPDX-License-Identifier: MIT-0 |
| f4d74c61 | 2 | |
| c2d54475 LP |
3 | # Destroy any old key on the Yubikey (careful!) |
| 4 | ykman piv reset | |
| 5 | ||
| cf1e172d LP |
6 | # Generate a new private/public key pair on the device, store the public key in |
| 7 | # 'pubkey.pem'. | |
| c2d54475 LP |
8 | ykman piv generate-key -a RSA2048 9d pubkey.pem |
| 9 | ||
| 2ccf0ff6 | 10 | # Create a self-signed certificate from this public key, and store it on the |
| cf1e172d LP |
11 | # device. The "subject" should be an arbitrary user-chosen string to identify |
| 12 | # the token with. | |
| c2d54475 LP |
13 | ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem |
| 14 | ||
| cf1e172d LP |
15 | # We don't need the public key anymore, let's remove it. Since it is not |
| 16 | # security sensitive we just do a regular "rm" here. | |
| c2d54475 LP |
17 | rm pubkey.pem |
| 18 | ||
| cf1e172d LP |
19 | # Enroll the freshly initialized security token in the LUKS2 volume. Replace |
| 20 | # /dev/sdXn by the partition to use (e.g. /dev/sda1). | |
| 21 | sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn | |
| 22 | ||
| 23 | # Test: Let's run systemd-cryptsetup to test if this all worked. | |
| 24 | sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto | |
| c2d54475 | 25 | |
| cf1e172d LP |
26 | # If that worked, let's now add the same line persistently to /etc/crypttab, |
| 27 | # for the future. | |
| 7a17e41d | 28 | sudo bash -c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >>/etc/crypttab' |