97 lines
3.3 KiB
Markdown
97 lines
3.3 KiB
Markdown
# initrd_luks_pkcs
|
|
|
|
## Acknowledgment
|
|
It has been tested on a debian laptop and a mobian pinephone.
|
|
The smartcard generation come from inspired by https://github.com/swoopla/smartcard-luks .
|
|
The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/DebianOnMobile-team/osk-sdl.
|
|
|
|
## Single key setup
|
|
|
|
### General steps:
|
|
* Erase and initialize card
|
|
* Create public/private key pair on smartcard
|
|
* Create key file and add it to a LUKS key slot
|
|
* Encrypt key file using public key from smartcard
|
|
* Modify initramfs to use smartcard to decrypt the encrypted keyfile
|
|
* Modify decrypt_opensc script to swicth between smartcard and luks password and add osk-sdl support for touchscreen device
|
|
|
|
### details:
|
|
1. Install smartcard middleware
|
|
|
|
```sudo apt-get install pcscd opensc```
|
|
|
|
2. Erase smartcard
|
|
|
|
```pkcs15-init -E```
|
|
|
|
3. Initialize smartcard
|
|
|
|
```pkcs15-init --create-pkcs15 -p pkcs15+onepin --pin 1234 --puk 4321```
|
|
|
|
4. Create public/private key pair on smartcard
|
|
|
|
```pkcs15-init -G rsa/2048 -i 01 -a 01 -u decrypt --pin 1234```
|
|
|
|
5. Create a random key file and add it to a LUKS key slot
|
|
|
|
```sudo touch /root/rootkey```
|
|
|
|
```sudo chmod 600 /root/rootkey```
|
|
|
|
```sudo dd if=/dev/random of=/root/rootkey bs=1 count=245 #change to urandom if you can't wait```
|
|
|
|
```sudo cryptsetup luksAddKey /dev/sda2 /root/rootkey```
|
|
|
|
6. Export the public key from smartcard
|
|
|
|
```pkcs15-tool --read-public-key 01 -o public_key_rsa2048.pem```
|
|
|
|
7. Encrypt key file using public key
|
|
|
|
```sudo openssl rsautl -encrypt -pubin -inkey public_key_rsa2048.pem -in /root/rootkey -out /root/rootkey.enc```
|
|
|
|
```sudo rm /root/rootkey```
|
|
|
|
8. Edit crypttab. This change sends the encrypted key file as a param to the keyscript
|
|
|
|
This should be of the form:
|
|
|
|
```mapped_device_name source_block_device key_file luks,keyscript=decrypt_pkcs```
|
|
|
|
For example:
|
|
|
|
```sda2_crypt UUID=d332ecc5-ce8b-4900-a04a-a79abd029d6d /root/rootkey.enc luks,keyscript=decrypt_pkcs```
|
|
|
|
9. Install the cryptsetup script and the initramfs-tool hook
|
|
|
|
```sudo cp lib/cryptsetup/scripts/decrypt_pkcs /lib/cryptsetup/scripts/ ```
|
|
|
|
```sudo cp etc/initramfs-tools/hooks/decrypt_pkcs /etc/initramfs-tools/hooks && sudo chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs ```
|
|
|
|
```sudo cp etc/default/decrypt_pkcs /etc/default/ ```
|
|
|
|
```sudo update-initramfs -u```
|
|
|
|
10. Test smartcard (without USB Key)
|
|
|
|
11. Test LUKS Password (without Smartcard)
|
|
|
|
## Multi keys setup
|
|
|
|
The setup is quite the same except that you need to put all the key files in the expected format.
|
|
With the provided exemple config and script all keys must be stored in the `/etc/keys` folder with the following filename : `internal-${ENCODED_SERIAL}.enc` with `${ENCODED_SERIAL} the result of the following commands :
|
|
|
|
```
|
|
pkcs15-tool -c 2>/dev/null | awk '{ if ($1$2=="Encodedserial") {print $NF}}'
|
|
```
|
|
|
|
You need to modify the `/etc/default/decrypt_pkcs` and set `DECIPHER_MULTI` to `1`
|
|
|
|
and copy the script in charge of selecting the right key file form initramfs :
|
|
|
|
```sudo mkdir -p /usr/share/decrypt_pkcs && sudo cp usr/share/decrypt_pkcs/pkcs15_get-key.sh /usr/share/decrypt_pkcs/ && sudo chmod +x /usr/share/decrypt_pkcs/pkcs15_get-key.sh ```
|
|
|
|
Every time a new key is added, the initrd mus be regenerated :
|
|
|
|
```sudo update-initramfs -u```
|
|
|