[feat] Add multi keys support
This commit is contained in:
parent
c34c59ca82
commit
3227284322
6 changed files with 129 additions and 41 deletions
34
README.md
34
README.md
|
@ -1,11 +1,13 @@
|
||||||
# initrd_luks_pkcs
|
# initrd_luks_pkcs
|
||||||
|
|
||||||
### Acknowledgment
|
## Acknowledgment
|
||||||
It has been tested on a debian laptop and a mobian pinephone.
|
It has been tested on a debian laptop and a mobian pinephone.
|
||||||
The smartcard generation come from inspired by https://github.com/swoopla/smartcard-luks .
|
The smartcard generation come from inspired by https://github.com/swoopla/smartcard-luks .
|
||||||
The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/DebianOnMobile-team/osk-sdl.
|
The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/DebianOnMobile-team/osk-sdl.
|
||||||
|
|
||||||
### The general steps:
|
## Single key setup
|
||||||
|
|
||||||
|
### General steps:
|
||||||
* Erase and initialize card
|
* Erase and initialize card
|
||||||
* Create public/private key pair on smartcard
|
* Create public/private key pair on smartcard
|
||||||
* Create key file and add it to a LUKS key slot
|
* Create key file and add it to a LUKS key slot
|
||||||
|
@ -13,7 +15,7 @@ The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/Debian
|
||||||
* Modify initramfs to use smartcard to decrypt the encrypted keyfile
|
* Modify initramfs to use smartcard to decrypt the encrypted keyfile
|
||||||
* Modify decrypt_opensc script to swicth between smartcard and luks password and add osk-sdl support for touchscreen device
|
* Modify decrypt_opensc script to swicth between smartcard and luks password and add osk-sdl support for touchscreen device
|
||||||
|
|
||||||
### The details:
|
### details:
|
||||||
1. Install smartcard middleware
|
1. Install smartcard middleware
|
||||||
|
|
||||||
```sudo apt-get install pcscd opensc```
|
```sudo apt-get install pcscd opensc```
|
||||||
|
@ -62,14 +64,34 @@ The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/Debian
|
||||||
|
|
||||||
9. Install the cryptsetup script and the initramfs-tool hook
|
9. Install the cryptsetup script and the initramfs-tool hook
|
||||||
|
|
||||||
```sudo cp decrypt_pkcs /lib/cryptsetup/script/ ```
|
```sudo cp lib/cryptsetup/scripts/decrypt_pkcs /lib/cryptsetup/script/ ```
|
||||||
|
|
||||||
```sudo cp decrypt_pkcs_hook /etc/initramfs-tools/hooks && chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs_hook ```
|
```sudo cp etc/initramfs-tools/hooks/decrypt_pkcs /etc/initramfs-tools/hooks && sudo chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs ```
|
||||||
|
|
||||||
```sudo cp decrypt_pkcs_default /etc/default/decrypt_pkcs ```
|
```sudo cp etc/default/decrypt_pkcs /etc/default/ ```
|
||||||
|
|
||||||
```sudo update-initramfs -u```
|
```sudo update-initramfs -u```
|
||||||
|
|
||||||
10. Test smartcard (without USB Key)
|
10. Test smartcard (without USB Key)
|
||||||
|
|
||||||
11. Test LUKS Password (without Smartcard)
|
11. Test LUKS Password (without Smartcard)
|
||||||
|
|
||||||
|
## Multi keys setup
|
||||||
|
|
||||||
|
The setup is quite the same except that you need to put all the key files in the expected format.
|
||||||
|
With the provided exemple config and script all keys must be stored in the `/etc/keys` folder with the following filename : `internal-${ENCODED_SERIAL}.enc` with `${ENCODED_SERIAL} the result of the following commands :
|
||||||
|
|
||||||
|
```
|
||||||
|
pkcs15-tool -c 2>/dev/null | awk '{ if ($1$2=="Encodedserial") {print $NF}}'
|
||||||
|
```
|
||||||
|
|
||||||
|
You need to modify the `/etc/default/decrypt_pkcs` and set `DECIPHER_MULTI` to `1`
|
||||||
|
|
||||||
|
and copy the script in charge of selecting the right key file form initramfs :
|
||||||
|
|
||||||
|
```sudo mkdir -p /usr/share/decrypt_pkcs && sudo cp usr/share/decrypt_pkcs/pkcs15_get-key.sh /usr/share/decrypt_pkcs/ && sudo chmod +x /usr/share/decrypt_pkcs/pkcs15_get-key.sh ```
|
||||||
|
|
||||||
|
Every time a new key is added, the initrd mus be regenerated :
|
||||||
|
|
||||||
|
```sudo update-initramfs -u```
|
||||||
|
|
||||||
|
|
|
@ -1,27 +0,0 @@
|
||||||
# Decrypt_PKCS initramfs configuration
|
|
||||||
|
|
||||||
# Smartcard presence test
|
|
||||||
SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool
|
|
||||||
SMARTCARD_PRESENCE_ARGS='-n'
|
|
||||||
|
|
||||||
# PKCS decipher command default to pkcs15-crypt
|
|
||||||
#DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
|
|
||||||
DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
|
|
||||||
|
|
||||||
# PKCS decipher extra library (usefull with pkcs11 or custom command)
|
|
||||||
# The initramfs hook will search in the multiarch default library path
|
|
||||||
# eg where the libc is stored and its subfolders.
|
|
||||||
# Wildcard is allowed by using the find command
|
|
||||||
DECIPHER_EXTRA_LIBS=
|
|
||||||
|
|
||||||
# Define command parameters
|
|
||||||
# DECIPHER_ARGS is followed by the data to decipher
|
|
||||||
# DECIPHER_EXTRA_ARGS allow customization
|
|
||||||
# DECIPHER_ASKPIN is followed by the PIN input from user
|
|
||||||
# Default value for pkcs15-crypt
|
|
||||||
#DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
|
|
||||||
#DECIPHER_EXTRA_ARGS=
|
|
||||||
#DECIPHER_ASK_PIN='--pin'
|
|
||||||
DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
|
|
||||||
DECIPHER_EXTRA_ARGS=
|
|
||||||
DECIPHER_ASK_PIN='--pin'
|
|
46
etc/default/decrypt_pkcs
Normal file
46
etc/default/decrypt_pkcs
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
# Decrypt_PKCS initramfs configuration
|
||||||
|
|
||||||
|
# Smartcard presence test
|
||||||
|
#SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool
|
||||||
|
#SMARTCARD_PRESENCE_ARGS='-n'
|
||||||
|
SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool
|
||||||
|
SMARTCARD_PRESENCE_ARGS='-n'
|
||||||
|
|
||||||
|
# PKCS decipher command default to pkcs15-crypt
|
||||||
|
#DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
|
||||||
|
DECIPHER_COMMAND=
|
||||||
|
|
||||||
|
# PKCS decipher extra library (usefull with pkcs11 or custom command)
|
||||||
|
# The initramfs hook will search in the multiarch default library path
|
||||||
|
# eg where the libc is stored and its subfolders.
|
||||||
|
# Wildcard is allowed by using the find command
|
||||||
|
DECIPHER_EXTRA_LIBS=
|
||||||
|
|
||||||
|
# Define command parameters
|
||||||
|
# DECIPHER_ARGS is followed by the data to decipher
|
||||||
|
# DECIPHER_EXTRA_ARGS allow customization
|
||||||
|
# DECIPHER_ASKPIN is followed by the PIN input from user
|
||||||
|
# Default value for pkcs15-crypt
|
||||||
|
#DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
|
||||||
|
#DECIPHER_ASK_PIN='--pin'
|
||||||
|
DECIPHER_ARGS=
|
||||||
|
DECIPHER_ASK_PIN=
|
||||||
|
|
||||||
|
# Support multiple key files
|
||||||
|
# Default behaviour use the key file provided by crypttab
|
||||||
|
#DECIPHER_MULTI=0
|
||||||
|
#DECIPHER_MULTI_FOLDER=
|
||||||
|
#DECIPHER_MULTI_PATTERN=
|
||||||
|
#DECIPHER_MULTI_SCRIPT=
|
||||||
|
#DECIPHER_MULTI_SCRIPT_DEPENDS=
|
||||||
|
DECIPHER_MULTI=0
|
||||||
|
# The keys are in /etc/keys/internal-"$EncodedSerial".enc
|
||||||
|
# The key file extension .enc is hardcoded
|
||||||
|
DECIPHER_MULTI_FOLDER="/etc/keys"
|
||||||
|
DECIPHER_MULTI_PATTERN="internal-"
|
||||||
|
# This script should return the approriate encrypted file for the current token
|
||||||
|
# It can export the $DECIPHER_EXTRA_ARGS to pass arguments to the decipher command
|
||||||
|
# such as slot specification, id filter ...
|
||||||
|
DECIPHER_MULTI_SCRIPT="/usr/share/decrypt_pkcs/pkcs15_get-key.sh"
|
||||||
|
# Script dependancies included in the initramfs
|
||||||
|
DECIPHER_MULTI_SCRIPT_DEPENDS="/usr/bin/pkcs15-tool"
|
|
@ -30,6 +30,8 @@ fi
|
||||||
DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
|
DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
|
||||||
SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool}
|
SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool}
|
||||||
|
|
||||||
|
DECIPHER_MULTI=${DECIPHER_MULTI:-0}
|
||||||
|
|
||||||
# Hooks for loading smartcard reading software into the initramfs
|
# Hooks for loading smartcard reading software into the initramfs
|
||||||
copy_keys() {
|
copy_keys() {
|
||||||
crypttab_parse_options
|
crypttab_parse_options
|
||||||
|
@ -46,9 +48,11 @@ copy_keys() {
|
||||||
RV=0
|
RV=0
|
||||||
#copy default key
|
#copy default key
|
||||||
crypttab_foreach_entry copy_keys
|
crypttab_foreach_entry copy_keys
|
||||||
#copy all users keys
|
if [ $DECIPHER_MULTI = 1 ] ; then
|
||||||
#mkdir -p "$DESTDIR/etc/keys"
|
#copy all keys
|
||||||
#cp /etc/keys/pass*.enc "$DESTDIR/etc/keys/"
|
mkdir -p "$DESTDIR/${DECIPHER_MULTI_FOLDER}"
|
||||||
|
cp -t "$DESTDIR/${DECIPHER_MULTI_FOLDER}" "${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}"*
|
||||||
|
fi
|
||||||
|
|
||||||
# Install directories needed by smartcard reading daemon, command, and
|
# Install directories needed by smartcard reading daemon, command, and
|
||||||
# key-script
|
# key-script
|
||||||
|
@ -72,4 +76,15 @@ copy_exec $DECIPHER_COMMAND
|
||||||
cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf
|
cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf
|
||||||
cp -t "$DESTDIR/etc/default" /etc/default/decrypt_pkcs
|
cp -t "$DESTDIR/etc/default" /etc/default/decrypt_pkcs
|
||||||
|
|
||||||
|
# If Multi
|
||||||
|
if [ $DECIPHER_MULTI = 1 ] ; then
|
||||||
|
mkdir -p $DESTDIR/$(dirname "${DECIPHER_MULTI_SCRIPT}")
|
||||||
|
cp -t $DESTDIR/$(dirname "${DECIPHER_MULTI_SCRIPT}") "${DECIPHER_MULTI_SCRIPT}"
|
||||||
|
chmod +x $DESTDIR/"${DECIPHER_MULTI_SCRIPT}"
|
||||||
|
for bin in $DECIPHER_MULTI_SCRIPT_DEPENDS ; do
|
||||||
|
copy_exec $bin
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
exit $RV
|
exit $RV
|
|
@ -16,6 +16,7 @@ SMARTCARD_PRESENCE_ARGS=${SMARTCARD_PRESENCE_ARGS:-'-n'}
|
||||||
DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
|
DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
|
||||||
DECIPHER_ARGS=${DECIPHER_ARGS:-'--decipher --pkcs1 --raw --input'}
|
DECIPHER_ARGS=${DECIPHER_ARGS:-'--decipher --pkcs1 --raw --input'}
|
||||||
DECIPHER_ASK_PIN=${DECIPHER_ASK_PIN:-'--pin'}
|
DECIPHER_ASK_PIN=${DECIPHER_ASK_PIN:-'--pin'}
|
||||||
|
DECIPHER_MULTI=${DECIPHER_MULTI:-0}
|
||||||
|
|
||||||
check_plymouth() {
|
check_plymouth() {
|
||||||
plymouth=0
|
plymouth=0
|
||||||
|
@ -40,6 +41,16 @@ check_card() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_key() {
|
||||||
|
if [ $DECIPHER_MULTI = 1 ] ; then
|
||||||
|
temp=$($DECIPHER_MULTI_SCRIPT)
|
||||||
|
KEY=$(echo $temp | awk '{print $1}')
|
||||||
|
DECIPHER_EXTRA_ARGS=$(echo $temp | awk '{$1=""; print}')
|
||||||
|
else
|
||||||
|
KEY=$1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
log_message() {
|
log_message() {
|
||||||
if [ $plymouth = 1 ] ; then
|
if [ $plymouth = 1 ] ; then
|
||||||
plymouth display-message --text="$@" 2>/dev/null
|
plymouth display-message --text="$@" 2>/dev/null
|
||||||
|
@ -105,27 +116,28 @@ if [ -b "/dev/mapper/${CRYPTTAB_NAME}" ] ; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
wait_card
|
wait_card
|
||||||
|
check_key
|
||||||
|
|
||||||
if [ $plymouth = 1 ] ; then
|
if [ $plymouth = 1 ] ; then
|
||||||
if [ $osk_sdl = 1 ] ; then
|
if [ $osk_sdl = 1 ] ; then
|
||||||
# Get pin number from osk_sdl
|
# Get pin number from osk_sdl
|
||||||
plymouth hide-splash 2>/dev/null
|
plymouth hide-splash 2>/dev/null
|
||||||
${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \
|
${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
|
||||||
$DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
|
$DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
|
||||||
plymouth show-splash 2>/dev/null
|
plymouth show-splash 2>/dev/null
|
||||||
else
|
else
|
||||||
# Get pin number from plymouth
|
# Get pin number from plymouth
|
||||||
${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \
|
${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
|
||||||
$DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")"
|
$DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME ($KEY): ")"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ $osk_sdl = 1 ] ; then
|
if [ $osk_sdl = 1 ] ; then
|
||||||
# Get pin number from osk_sdl
|
# Get pin number from osk_sdl
|
||||||
${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \
|
${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
|
||||||
$DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
|
$DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
|
||||||
else
|
else
|
||||||
# Get pin number from console
|
# Get pin number from console
|
||||||
${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS </dev/console 2>/dev/console
|
${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS </dev/console 2>/dev/console
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
20
usr/share/decrypt_pkcs/pkcs15_get-key.sh
Executable file
20
usr/share/decrypt_pkcs/pkcs15_get-key.sh
Executable file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
. /etc/default/decrypt_pkcs
|
||||||
|
|
||||||
|
|
||||||
|
pkcs15-tool -c 2>/dev/null \
|
||||||
|
| awk '{ if ($1=="ID")
|
||||||
|
{nline++ ; printf $NF" "}
|
||||||
|
else if ($1=="Encoded" && $2=="serial")
|
||||||
|
{print $NF}}' \
|
||||||
|
| while read id serial ; do
|
||||||
|
if [ -f "${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}${serial}.enc" ] ; then
|
||||||
|
export key="${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}${serial}.enc"
|
||||||
|
export arg="-k ${id}"
|
||||||
|
echo ${key} ${arg}
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
exit 1
|
||||||
|
|
Loading…
Reference in a new issue