man/yubikey-crypttab.sh

   1 # Destroy any old key on the Yubikey (careful!)
   2 ykman piv reset
   3
   4 # Generate a new private/public key pair on the device, store the public key in
   5 # 'pubkey.pem'.
   6 ykman piv generate-key -a RSA2048 9d pubkey.pem
   7
   8 # Create a self-signed certificate from this public key, and store it on the
   9 # device. The "subject" should be an arbitrary user-chosen string to identify
  10 # the token with.
  11 ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
  12
  13 # We don't need the public key anymore, let's remove it. Since it is not
  14 # security sensitive we just do a regular "rm" here.
  15 rm pubkey.pem
  16
  17 # Enroll the freshly initialized security token in the LUKS2 volume. Replace
  18 # /dev/sdXn by the partition to use (e.g. /dev/sda1).
  19 sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn
  20
  21 # Test: Let's run systemd-cryptsetup to test if this all worked.
  22 sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto
  23
  24 # If that worked, let's now add the same line persistently to /etc/crypttab,
  25 # for the future.
  26 sudo bash -c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >> /etc/crypttab'