diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:49:52 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:49:52 +0000 |
commit | 55944e5e40b1be2afc4855d8d2baf4b73d1876b5 (patch) | |
tree | 33f869f55a1b149e9b7c2b7e201867ca5dd52992 /man/yubikey-crypttab.sh | |
parent | Initial commit. (diff) | |
download | systemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.tar.xz systemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.zip |
Adding upstream version 255.4.upstream/255.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'man/yubikey-crypttab.sh')
-rw-r--r-- | man/yubikey-crypttab.sh | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/man/yubikey-crypttab.sh b/man/yubikey-crypttab.sh new file mode 100644 index 0000000..a66a88f --- /dev/null +++ b/man/yubikey-crypttab.sh @@ -0,0 +1,41 @@ +# SPDX-License-Identifier: MIT-0 + +# Destroy any old key on the Yubikey (careful!) +ykman piv reset + +# Generate a new private/public key pair on the device, store the public key in +# 'pubkey.pem'. +ykman piv generate-key -a RSA2048 9d pubkey.pem + +# Create a self-signed certificate from this public key, and store it on the +# device. The "subject" should be an arbitrary user-chosen string to identify +# the token with. +ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem + +# We don't need the public key anymore, let's remove it. Since it is not +# security sensitive we just do a regular "rm" here. +rm pubkey.pem + +# Enroll the freshly initialized security token in the LUKS2 volume. Replace +# /dev/sdXn by the partition to use (e.g. /dev/sda1). +sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn + +# Test: Let's run systemd-cryptsetup to test if this all worked. +sudo systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto + +# If that worked, let's now add the same line persistently to /etc/crypttab, +# for the future. We don't want to use the (unstable) /dev/sdX name, so let's +# figure out a stable link: +udevadm info -q -r symlink /dev/sdXn + +# Now add the line using the by-uuid symlink to /etc/crypttab: +sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - pkcs11-uri=auto" >>/etc/crypttab' + +# Depending on your distribution and encryption setup, you may need to manually +# regenerate your initramfs to be able to use a Yubikey / PKCS#11 token to +# unlock the partition during early boot. +# More information at https://unix.stackexchange.com/a/705809. +# On Fedora based systems: +sudo dracut --force +# On Debian based systems: +sudo update-initramfs -u |