[feat] Add multi keys support

This commit is contained in:
Alex 2021-04-11 16:29:58 +02:00
parent c34c59ca82
commit 3227284322
6 changed files with 129 additions and 41 deletions

View file

@ -1,11 +1,13 @@
# initrd_luks_pkcs # initrd_luks_pkcs
### Acknowledgment ## Acknowledgment
It has been tested on a debian laptop and a mobian pinephone. It has been tested on a debian laptop and a mobian pinephone.
The smartcard generation come from inspired by https://github.com/swoopla/smartcard-luks . The smartcard generation come from inspired by https://github.com/swoopla/smartcard-luks .
The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/DebianOnMobile-team/osk-sdl. The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/DebianOnMobile-team/osk-sdl.
### The general steps: ## Single key setup
### General steps:
* Erase and initialize card * Erase and initialize card
* Create public/private key pair on smartcard * Create public/private key pair on smartcard
* Create key file and add it to a LUKS key slot * Create key file and add it to a LUKS key slot
@ -13,7 +15,7 @@ The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/Debian
* Modify initramfs to use smartcard to decrypt the encrypted keyfile * Modify initramfs to use smartcard to decrypt the encrypted keyfile
* Modify decrypt_opensc script to swicth between smartcard and luks password and add osk-sdl support for touchscreen device * Modify decrypt_opensc script to swicth between smartcard and luks password and add osk-sdl support for touchscreen device
### The details: ### details:
1. Install smartcard middleware 1. Install smartcard middleware
```sudo apt-get install pcscd opensc``` ```sudo apt-get install pcscd opensc```
@ -62,14 +64,34 @@ The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/Debian
9. Install the cryptsetup script and the initramfs-tool hook 9. Install the cryptsetup script and the initramfs-tool hook
```sudo cp decrypt_pkcs /lib/cryptsetup/script/ ``` ```sudo cp lib/cryptsetup/scripts/decrypt_pkcs /lib/cryptsetup/script/ ```
```sudo cp decrypt_pkcs_hook /etc/initramfs-tools/hooks && chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs_hook ``` ```sudo cp etc/initramfs-tools/hooks/decrypt_pkcs /etc/initramfs-tools/hooks && sudo chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs ```
```sudo cp decrypt_pkcs_default /etc/default/decrypt_pkcs ``` ```sudo cp etc/default/decrypt_pkcs /etc/default/ ```
```sudo update-initramfs -u``` ```sudo update-initramfs -u```
10. Test smartcard (without USB Key) 10. Test smartcard (without USB Key)
11. Test LUKS Password (without Smartcard) 11. Test LUKS Password (without Smartcard)
## Multi keys setup
The setup is quite the same except that you need to put all the key files in the expected format.
With the provided exemple config and script all keys must be stored in the `/etc/keys` folder with the following filename : `internal-${ENCODED_SERIAL}.enc` with `${ENCODED_SERIAL} the result of the following commands :
```
pkcs15-tool -c 2>/dev/null | awk '{ if ($1$2=="Encodedserial") {print $NF}}'
```
You need to modify the `/etc/default/decrypt_pkcs` and set `DECIPHER_MULTI` to `1`
and copy the script in charge of selecting the right key file form initramfs :
```sudo mkdir -p /usr/share/decrypt_pkcs && sudo cp usr/share/decrypt_pkcs/pkcs15_get-key.sh /usr/share/decrypt_pkcs/ && sudo chmod +x /usr/share/decrypt_pkcs/pkcs15_get-key.sh ```
Every time a new key is added, the initrd mus be regenerated :
```sudo update-initramfs -u```

View file

@ -1,27 +0,0 @@
# Decrypt_PKCS initramfs configuration
# Smartcard presence test
SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool
SMARTCARD_PRESENCE_ARGS='-n'
# PKCS decipher command default to pkcs15-crypt
#DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
# PKCS decipher extra library (usefull with pkcs11 or custom command)
# The initramfs hook will search in the multiarch default library path
# eg where the libc is stored and its subfolders.
# Wildcard is allowed by using the find command
DECIPHER_EXTRA_LIBS=
# Define command parameters
# DECIPHER_ARGS is followed by the data to decipher
# DECIPHER_EXTRA_ARGS allow customization
# DECIPHER_ASKPIN is followed by the PIN input from user
# Default value for pkcs15-crypt
#DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
#DECIPHER_EXTRA_ARGS=
#DECIPHER_ASK_PIN='--pin'
DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
DECIPHER_EXTRA_ARGS=
DECIPHER_ASK_PIN='--pin'

46
etc/default/decrypt_pkcs Normal file
View file

@ -0,0 +1,46 @@
# Decrypt_PKCS initramfs configuration
# Smartcard presence test
#SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool
#SMARTCARD_PRESENCE_ARGS='-n'
SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool
SMARTCARD_PRESENCE_ARGS='-n'
# PKCS decipher command default to pkcs15-crypt
#DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
DECIPHER_COMMAND=
# PKCS decipher extra library (usefull with pkcs11 or custom command)
# The initramfs hook will search in the multiarch default library path
# eg where the libc is stored and its subfolders.
# Wildcard is allowed by using the find command
DECIPHER_EXTRA_LIBS=
# Define command parameters
# DECIPHER_ARGS is followed by the data to decipher
# DECIPHER_EXTRA_ARGS allow customization
# DECIPHER_ASKPIN is followed by the PIN input from user
# Default value for pkcs15-crypt
#DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
#DECIPHER_ASK_PIN='--pin'
DECIPHER_ARGS=
DECIPHER_ASK_PIN=
# Support multiple key files
# Default behaviour use the key file provided by crypttab
#DECIPHER_MULTI=0
#DECIPHER_MULTI_FOLDER=
#DECIPHER_MULTI_PATTERN=
#DECIPHER_MULTI_SCRIPT=
#DECIPHER_MULTI_SCRIPT_DEPENDS=
DECIPHER_MULTI=0
# The keys are in /etc/keys/internal-"$EncodedSerial".enc
# The key file extension .enc is hardcoded
DECIPHER_MULTI_FOLDER="/etc/keys"
DECIPHER_MULTI_PATTERN="internal-"
# This script should return the approriate encrypted file for the current token
# It can export the $DECIPHER_EXTRA_ARGS to pass arguments to the decipher command
# such as slot specification, id filter ...
DECIPHER_MULTI_SCRIPT="/usr/share/decrypt_pkcs/pkcs15_get-key.sh"
# Script dependancies included in the initramfs
DECIPHER_MULTI_SCRIPT_DEPENDS="/usr/bin/pkcs15-tool"

View file

@ -30,6 +30,8 @@ fi
DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt} DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool} SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool}
DECIPHER_MULTI=${DECIPHER_MULTI:-0}
# Hooks for loading smartcard reading software into the initramfs # Hooks for loading smartcard reading software into the initramfs
copy_keys() { copy_keys() {
crypttab_parse_options crypttab_parse_options
@ -46,9 +48,11 @@ copy_keys() {
RV=0 RV=0
#copy default key #copy default key
crypttab_foreach_entry copy_keys crypttab_foreach_entry copy_keys
#copy all users keys if [ $DECIPHER_MULTI = 1 ] ; then
#mkdir -p "$DESTDIR/etc/keys" #copy all keys
#cp /etc/keys/pass*.enc "$DESTDIR/etc/keys/" mkdir -p "$DESTDIR/${DECIPHER_MULTI_FOLDER}"
cp -t "$DESTDIR/${DECIPHER_MULTI_FOLDER}" "${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}"*
fi
# Install directories needed by smartcard reading daemon, command, and # Install directories needed by smartcard reading daemon, command, and
# key-script # key-script
@ -72,4 +76,15 @@ copy_exec $DECIPHER_COMMAND
cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf
cp -t "$DESTDIR/etc/default" /etc/default/decrypt_pkcs cp -t "$DESTDIR/etc/default" /etc/default/decrypt_pkcs
# If Multi
if [ $DECIPHER_MULTI = 1 ] ; then
mkdir -p $DESTDIR/$(dirname "${DECIPHER_MULTI_SCRIPT}")
cp -t $DESTDIR/$(dirname "${DECIPHER_MULTI_SCRIPT}") "${DECIPHER_MULTI_SCRIPT}"
chmod +x $DESTDIR/"${DECIPHER_MULTI_SCRIPT}"
for bin in $DECIPHER_MULTI_SCRIPT_DEPENDS ; do
copy_exec $bin
done
fi
exit $RV exit $RV

View file

@ -16,6 +16,7 @@ SMARTCARD_PRESENCE_ARGS=${SMARTCARD_PRESENCE_ARGS:-'-n'}
DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt} DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
DECIPHER_ARGS=${DECIPHER_ARGS:-'--decipher --pkcs1 --raw --input'} DECIPHER_ARGS=${DECIPHER_ARGS:-'--decipher --pkcs1 --raw --input'}
DECIPHER_ASK_PIN=${DECIPHER_ASK_PIN:-'--pin'} DECIPHER_ASK_PIN=${DECIPHER_ASK_PIN:-'--pin'}
DECIPHER_MULTI=${DECIPHER_MULTI:-0}
check_plymouth() { check_plymouth() {
plymouth=0 plymouth=0
@ -40,6 +41,16 @@ check_card() {
fi fi
} }
check_key() {
if [ $DECIPHER_MULTI = 1 ] ; then
temp=$($DECIPHER_MULTI_SCRIPT)
KEY=$(echo $temp | awk '{print $1}')
DECIPHER_EXTRA_ARGS=$(echo $temp | awk '{$1=""; print}')
else
KEY=$1
fi
}
log_message() { log_message() {
if [ $plymouth = 1 ] ; then if [ $plymouth = 1 ] ; then
plymouth display-message --text="$@" 2>/dev/null plymouth display-message --text="$@" 2>/dev/null
@ -105,27 +116,28 @@ if [ -b "/dev/mapper/${CRYPTTAB_NAME}" ] ; then
fi fi
wait_card wait_card
check_key
if [ $plymouth = 1 ] ; then if [ $plymouth = 1 ] ; then
if [ $osk_sdl = 1 ] ; then if [ $osk_sdl = 1 ] ; then
# Get pin number from osk_sdl # Get pin number from osk_sdl
plymouth hide-splash 2>/dev/null plymouth hide-splash 2>/dev/null
${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \ ${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
$DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)" $DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
plymouth show-splash 2>/dev/null plymouth show-splash 2>/dev/null
else else
# Get pin number from plymouth # Get pin number from plymouth
${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \ ${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
$DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")" $DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME ($KEY): ")"
fi fi
else else
if [ $osk_sdl = 1 ] ; then if [ $osk_sdl = 1 ] ; then
# Get pin number from osk_sdl # Get pin number from osk_sdl
${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \ ${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
$DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)" $DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
else else
# Get pin number from console # Get pin number from console
${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS </dev/console 2>/dev/console ${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS </dev/console 2>/dev/console
fi fi
fi fi

View file

@ -0,0 +1,20 @@
#!/bin/sh
. /etc/default/decrypt_pkcs
pkcs15-tool -c 2>/dev/null \
| awk '{ if ($1=="ID")
{nline++ ; printf $NF" "}
else if ($1=="Encoded" && $2=="serial")
{print $NF}}' \
| while read id serial ; do
if [ -f "${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}${serial}.enc" ] ; then
export key="${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}${serial}.enc"
export arg="-k ${id}"
echo ${key} ${arg}
exit 0
fi
done
exit 1