]> git.ipfire.org Git - thirdparty/systemd.git/commit - man/systemd-cryptenroll.xml
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 876206f) | patch
cryptsetup: Add support for EC keys in PKCS#11 tokens
authorVladimir Stoiakin <VStoiakin@lavabit.com>
Tue, 15 Aug 2023 17:51:54 +0000 (20:51 +0300)
committerVladimir Stoiakin <VStoiakin@lavabit.com>
Tue, 19 Dec 2023 10:14:16 +0000 (13:14 +0300)
commit3d05c05873c7992819b67e88a479e89562f10e45
tree87fd631915a8751ad4373dbb36e9cfeb021be9fatree | snapshot
parent876206f267aeaf692742e3c528967bc53da236decommit | diff
cryptsetup: Add support for EC keys in PKCS#11 tokens

Since EC keys doesn't support encryption directly, we use ECDH protocol.
We generate a pair of EC keys in the same EC group, then derive a shared secret using the generated private key and the public key in the token.
The derived shared secret is used as a volume key. The generated public key is stored in the LUKS2 JSON token header area. The generated private key is erased.
To unlock a volume, we derive the shared secret with the stored public key and a private key in the token.

Co-authored-by: MkfsSion <mkfssion@mkfssion.com>
man/crypttab.xml diff | blob | blame | history
man/systemd-cryptenroll.xml diff | blob | blame | history
src/shared/openssl-util.c diff | blob | blame | history
src/shared/pkcs11-util.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.