man/yubikey-crypttab.sh

   1 # Make sure noone can read the files we generate but us
   2 umask 077
   3
   4 # Destroy any old key on the Yubikey (careful!)
   5 ykman piv reset
   6
   7 # Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'.
   8 ykman piv generate-key -a RSA2048 9d pubkey.pem
   9
  10 # Create a self-signed certificate from this public key, and store it on the
  11 # device. The "subject" should be an arbitrary string to identify the token in
  12 # the p11tool output below.
  13 ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
  14
  15 # Check if the newly create key on the Yubikey shows up as token in PKCS#11. Have a look at the output, and
  16 # copy the resulting token URI to the clipboard.
  17 p11tool --list-tokens
  18
  19 # Generate a (secret) random key to use as LUKS decryption key.
  20 dd if=/dev/urandom of=plaintext.bin bs=128 count=1
  21
  22 # Encode the secret key also as base64 text (with all whitespace removed)
  23 base64 < plaintext.bin | tr -d '\n\r\t ' > plaintext.base64
  24
  25 # Encrypt this newly generated (binary) LUKS decryption key using the public key whose private key is on the
  26 # Yubikey, store the result in /etc/encrypted-luks-key.bin, where we'll look for it during boot.
  27 sudo openssl rsautl -encrypt -pubin -inkey pubkey.pem -in plaintext.bin -out /etc/encrypted-luks-key.bin
  28
  29 # Configure the LUKS decryption key on the LUKS device. We use very low pbkdf settings since the key already
  30 # has quite a high quality (it comes directly from /dev/urandom after all), and thus we don't need to do much
  31 # key derivation. Replace /dev/sdXn by the partition to use (e.g. sda1)
  32 sudo cryptsetup luksAddKey /dev/sdXn plaintext.base64 --pbkdf=pbkdf2 --pbkdf-force-iterations=1000
  33
  34 # Now securely delete the plain text LUKS key, we don't need it anymore, and since it contains secret key
  35 # material it should be removed from disk thoroughly.
  36 shred -u plaintext.bin plaintext.base64
  37
  38 # We don't need the public key anymore either, let's remove it too. Since this one is not security
  39 # sensitive we just do a regular "rm" here.
  40 rm pubkey.pem
  41
  42 # Test: Let's run systemd-cryptsetup to test if this all worked. The option string should contain the full
  43 # PKCS#11 URI we have in the clipboard, it tells the tool how to decypher the encrypted LUKS key.
  44 sudo systemd-cryptsetup attach mytest /dev/sdXn /etc/encrypted-luks-key.bin 'pkcs11-uri=pkcs11:…'
  45
  46 # If that worked, let's now add the same line persistently to /etc/crypttab, for the future.
  47 sudo bash -c 'echo "mytest /dev/sdXn /etc/encrypted-luks-key \'pkcs11-uri=pkcs11:…\'" >> /etc/crypttab'