1 # Destroy any old key on the Yubikey (careful!)
4 # Generate a new private/public key pair on the device, store the public key in
6 ykman piv generate-key
-a RSA2048
9d pubkey.pem
8 # Create a self-signed certificate from this public key, and store it on the
9 # device. The "subject" should be an arbitrary user-chosen string to identify
11 ykman piv generate-certificate
--subject "Knobelei" 9d pubkey.pem
13 # We don't need the public key anymore, let's remove it. Since it is not
14 # security sensitive we just do a regular "rm" here.
17 # Enroll the freshly initialized security token in the LUKS2 volume. Replace
18 # /dev/sdXn by the partition to use (e.g. /dev/sda1).
19 sudo systemd-cryptenroll
--pkcs11-token-uri=auto
/dev
/sdXn
21 # Test: Let's run systemd-cryptsetup to test if this all worked.
22 sudo
/usr
/lib
/systemd
/systemd-cryptsetup attach mytest
/dev
/sdXn
- pkcs11-uri
=auto
24 # If that worked, let's now add the same line persistently to /etc/crypttab,
26 sudo bash
-c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >> /etc/crypttab'