summaryrefslogtreecommitdiffstats
path: root/debian/README.opensc
blob: cfee1a0ed1ad328e460287d644afece7de88e0b3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
opensc/pcscd with cryptsetup and LUKS on Debian
===============================================

This is an overview on how you can make use of cryptsetup with your
smartcard device supported by opensc/pcscd.

I assume that you already have an initialized smartcard with a RSA key
that has the proper X509 properties for encryption set. To generate such
a key in hardware on the smartcard you should execute the following
command:

    pkcs15-init -G rsa/2048 -a [PIN id] -u sign,decrypt

If your smart card doesn't support 2048 bit RSA just change the argument
to the largest size possible.

The decrypt_opensc keyscript decrypts an encrypted key in your boot
partition with the private key on your smartcard. Therefore you have to
create a key for the partition that is to be decrypted using the
smartcard. As pkcs15-crypt does not seem to support PKCS1 padding, the
key is required to have the same size as your RSA key. For a 2048 bit
key use the following (the byte count is 256 as 2048/8 is 256):

    dd if=/dev/random of=/boot/keys/key bs=1 count=256

Now the key is added to the LUKS partition:

    cryptsetup luksAddKey /dev/sdXn /boot/keys/key

Enter an already existing pass phrase and watch cryptsetup doing its
job. As we don't want the key in clear on the hard drive, we are going
to encrypt it with the public key to the key on the smartcard.
Read the public key first:

    pkcs15-tool --read-public-key [key id] -o pubkey

Then encrypt the random data with the extracted key, destroy the
plain text one and remove your public key from the hard drive (it isn't
necessary to shred it as a potential attacker can't use your public key
for anything).

    openssl rsautl -in /boot/keys/key -inkey pubkey -pubin -raw \
            -encrypt -out /boot/keys/root
    shred -u /boot/keys/key
    rm -rf pubkey

Now you'll have to edit `/etc/crypttab`. The format should be familiar but
I'll state it here again:

    name device /boot/keys/root luks,discard,keyscript=decrypt_opensc

The modules needed by the reader should now be added to
`/etc/initramfs-tools/modules`, so they are loaded on boot time. For
example yenta_socket, pcmcia, pcmcia_core, serial_cs, rsrc_nonstatic for
PCMCIA card readers.

In a perfect world you would just rebuild the initramfs now and it would
work. Unfortunately there are some additional issues to address. The
most important one is pcscd. Newer versions of pcscd use HAL and dbus to
detect readers. As most people (including me) aren't too enthusiastic
about adding these two daemons to the initramfs, we will rebuild the
daemon to use the traditional polling method with libusb. Again, this
step is only necessary if your reader uses pcscd (for example the
Gemalto PC Card readers).

To do this, download the ccid and pcsc-lite packages from
https://pcsc-lite.alioth.debian.org/

Install the libusb header files, extract the tarballs and build pcscd
with the following commands:

    apt-get install libusb-dev
    ./configure --disable-libhal --enable-libusb
    make
    make install

Now go to the ccid directory and execute these commands (the option is
only need if you use the libccidtwin.so to access your reader:

    ./configure [--enable-twinserial]
    make
    make install

This installs the new pcscd and it's libraries in `/usr/local/`. To
reflect the new situation we have to change the initramfs scripts.
Edit /etc/reader.conf to instruct `pcscd` to use the new libraries (they
should be in `/usr/local/pcsc/drivers/`) instead of the ones from the Debian
package. Replace everything after line 45 in
`/usr/share/initramfs-tools/hooks/cryptopensc` with the following chunk:

    for dir in etc/opensc usr/local/pcsc var/run tmp ; do
            if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi
    done

    # Install pcscd daemon, drivers, conf file, and include libgcc as
    # well since
    # pcscd utilizes pthread_cancel
    copy_exec /usr/local/sbin/pcscd
    cp -r /usr/local/pcsc ${DESTDIR}/usr/local
    cp /etc/reader.conf ${DESTDIR}/etc
    cp -r /usr/local/lib ${DESTDIR}/usr/local
    # Install opensc commands and conf file
    copy_exec /usr/bin/opensc-tool
    copy_exec /usr/bin/pkcs15-crypt
    cp /lib/libgcc_s.so.1 ${DESTDIR}/lib
    cp /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc

Edit `/usr/share/initramfs-tools/scripts/local-bottom/cryptopensc` and
`/usr/share/initramfs-tools/scripts/local-top/cryptopensc` to use the new
binary in `/usr/local/sbin/pcscd` instead of `/usr/sbin/pcscd` and change
the path in the existence test to:

    if [ ! -x /usr/local/sbin/pcscd ]; then
            exit 0
    fi

If you have completed all the steps up to now, you can update your
initramfs image with:

    update-initramfs -u -k `uname -r`

and reboot your machine. This leaves a backup of your old initramfs in
the boot partition if something doesn't work. If you have to debug your
initramfs during boot just append the `break=mount` option to the kernel
to have a debug shell just before the root partition would be mounted.

 -- Benjamin Kiessling <benjaminkiessling@bttec.org>, Sun, 26 Jul 2009