[thirdparty/systemd.git] / man / yubikey-crypttab.sh

# Make sure noone can read the files we generate but us
umask 077

# Destroy any old key on the Yubikey (careful!)
ykman piv reset

# Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'.
ykman piv generate-key -a RSA2048 9d pubkey.pem

# Create a self-signed certificate from this public key, and store it on the
# device. The "subject" should be an arbitrary string to identify the token in
# the p11tool output below.
ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem

# Check if the newly create key on the Yubikey shows up as token in PKCS#11. Have a look at the output, and
# copy the resulting token URI to the clipboard.
p11tool --list-tokens

# Generate a (secret) random key to use as LUKS decryption key.
dd if=/dev/urandom of=plaintext.bin bs=128 count=1

# Encode the secret key also as base64 text (with all whitespace removed)
base64 < plaintext.bin | tr -d '\n\r\t ' > plaintext.base64

# Encrypt this newly generated (binary) LUKS decryption key using the public key whose private key is on the
# Yubikey, store the result in /etc/encrypted-luks-key.bin, where we'll look for it during boot.
sudo openssl rsautl -encrypt -pubin -inkey pubkey.pem -in plaintext.bin -out /etc/encrypted-luks-key.bin

# Configure the LUKS decryption key on the LUKS device. We use very low pbkdf settings since the key already
# has quite a high quality (it comes directly from /dev/urandom after all), and thus we don't need to do much
# key derivation. Replace /dev/sdXn by the partition to use (e.g. sda1)
sudo cryptsetup luksAddKey /dev/sdXn plaintext.base64 --pbkdf=pbkdf2 --pbkdf-force-iterations=1000

# Now securely delete the plain text LUKS key, we don't need it anymore, and since it contains secret key
# material it should be removed from disk thoroughly.
shred -u plaintext.bin plaintext.base64

# We don't need the public key anymore either, let's remove it too. Since this one is not security
# sensitive we just do a regular "rm" here.
rm pubkey.pem

# Test: Let's run systemd-cryptsetup to test if this all worked. The option string should contain the full
# PKCS#11 URI we have in the clipboard, it tells the tool how to decypher the encrypted LUKS key.
sudo systemd-cryptsetup attach mytest /dev/sdXn /etc/encrypted-luks-key.bin 'pkcs11-uri=pkcs11:…'

# If that worked, let's now add the same line persistently to /etc/crypttab, for the future.
sudo bash -c 'echo "mytest /dev/sdXn /etc/encrypted-luks-key \'pkcs11-uri=pkcs11:…\'" >> /etc/crypttab'
Commit	Line	Data
c2d54475 LP	1	# Make sure noone can read the files we generate but us
	2	umask 077
	3
	4	# Destroy any old key on the Yubikey (careful!)
	5	ykman piv reset
	6
	7	# Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'.
	8	ykman piv generate-key -a RSA2048 9d pubkey.pem
	9
2ccf0ff6 LP	10	# Create a self-signed certificate from this public key, and store it on the
	11	# device. The "subject" should be an arbitrary string to identify the token in
	12	# the p11tool output below.
c2d54475 LP	13	ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
	14
	15	# Check if the newly create key on the Yubikey shows up as token in PKCS#11. Have a look at the output, and
	16	# copy the resulting token URI to the clipboard.
	17	p11tool --list-tokens
	18
	19	# Generate a (secret) random key to use as LUKS decryption key.
	20	dd if=/dev/urandom of=plaintext.bin bs=128 count=1
	21
	22	# Encode the secret key also as base64 text (with all whitespace removed)
2ccf0ff6	23	base64 < plaintext.bin \| tr -d '\n\r\t ' > plaintext.base64
c2d54475 LP	24
	25	# Encrypt this newly generated (binary) LUKS decryption key using the public key whose private key is on the
	26	# Yubikey, store the result in /etc/encrypted-luks-key.bin, where we'll look for it during boot.
2ccf0ff6	27	sudo openssl rsautl -encrypt -pubin -inkey pubkey.pem -in plaintext.bin -out /etc/encrypted-luks-key.bin
c2d54475 LP	28
	29	# Configure the LUKS decryption key on the LUKS device. We use very low pbkdf settings since the key already
	30	# has quite a high quality (it comes directly from /dev/urandom after all), and thus we don't need to do much
2ccf0ff6 LP	31	# key derivation. Replace /dev/sdXn by the partition to use (e.g. sda1)
2ccf0ff6 LP	32	sudo cryptsetup luksAddKey /dev/sdXn plaintext.base64 --pbkdf=pbkdf2 --pbkdf-force-iterations=1000
c2d54475 LP	33
	34	# Now securely delete the plain text LUKS key, we don't need it anymore, and since it contains secret key
	35	# material it should be removed from disk thoroughly.
	36	shred -u plaintext.bin plaintext.base64
	37
	38	# We don't need the public key anymore either, let's remove it too. Since this one is not security
	39	# sensitive we just do a regular "rm" here.
	40	rm pubkey.pem
	41
	42	# Test: Let's run systemd-cryptsetup to test if this all worked. The option string should contain the full
	43	# PKCS#11 URI we have in the clipboard, it tells the tool how to decypher the encrypted LUKS key.
2ccf0ff6	44	sudo systemd-cryptsetup attach mytest /dev/sdXn /etc/encrypted-luks-key.bin 'pkcs11-uri=pkcs11:…'
c2d54475 LP	45
c2d54475 LP	46	# If that worked, let's now add the same line persistently to /etc/crypttab, for the future.
2ccf0ff6	47	sudo bash -c 'echo "mytest /dev/sdXn /etc/encrypted-luks-key \'pkcs11-uri=pkcs11:…\'" >> /etc/crypttab'