man: tweaks to the crypttab(5) man page
This commit is contained in:
Lennart Poettering
parent
3d864658ea
commit
2ccf0ff6e8
|
|
@ -425,10 +425,10 @@
|
||||||
line. This is useful for unlocking encrypted volumes through security tokens or smartcards. See below
|
line. This is useful for unlocking encrypted volumes through security tokens or smartcards. See below
|
||||||
for an example how to set up this mechanism for unlocking a LUKS volume with a YubiKey security
|
for an example how to set up this mechanism for unlocking a LUKS volume with a YubiKey security
|
||||||
token. The specified URI can refer directly to a private RSA key stored on a token or alternatively
|
token. The specified URI can refer directly to a private RSA key stored on a token or alternatively
|
||||||
just to a slot or token in which case a suitable private RSA key object is automatically searched on
|
just to a slot or token, in which case a search for a suitable private RSA key will be performed. In
|
||||||
it. In this case if multiple suitable objects are found the token is refused. The key configured in
|
this case if multiple suitable objects are found the token is refused. The key configured in the
|
||||||
the third column is passed as is to RSA decryption. The resulting decrypted key is then base64
|
third column is passed as is to RSA decryption. The resulting decrypted key is then base64 encoded
|
||||||
encoded before it is used to unlock the LUKS volume.</para></listitem>
|
before it is used to unlock the LUKS volume.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|
@ -489,7 +489,8 @@ external /dev/sda3 keyfile:LABEL=keydev keyfile-timeout=10s</programlist
|
||||||
<title>Yubikey-based Volume Unlocking Example</title>
|
<title>Yubikey-based Volume Unlocking Example</title>
|
||||||
|
|
||||||
<para>The PKCS#11 logic allows hooking up any compatible security token that is capable of storing RSA
|
<para>The PKCS#11 logic allows hooking up any compatible security token that is capable of storing RSA
|
||||||
decryption keys. Here's an example how to set up a Yubikey security token for this purpose:</para>
|
decryption keys. Here's an example how to set up a Yubikey security token for this purpose, using
|
||||||
|
<command>ykman</command> from the yubikey-manager project:</para>
|
||||||
|
|
||||||
<programlisting><xi:include href="yubikey-crypttab.sh" parse="text" /></programlisting>
|
<programlisting><xi:include href="yubikey-crypttab.sh" parse="text" /></programlisting>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,9 @@ ykman piv reset
|
||||||
# Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'.
|
# Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'.
|
||||||
ykman piv generate-key -a RSA2048 9d pubkey.pem
|
ykman piv generate-key -a RSA2048 9d pubkey.pem
|
||||||
|
|
||||||
# Create a self-signed certificate from this public key, and store it on the device.
|
# Create a self-signed certificate from this public key, and store it on the
|
||||||
|
# device. The "subject" should be an arbitrary string to identify the token in
|
||||||
|
# the p11tool output below.
|
||||||
ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
|
ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
|
||||||
|
|
||||||
# Check if the newly create key on the Yubikey shows up as token in PKCS#11. Have a look at the output, and
|
# Check if the newly create key on the Yubikey shows up as token in PKCS#11. Have a look at the output, and
|
||||||
|
|
@ -18,16 +20,16 @@ p11tool --list-tokens
|
||||||
dd if=/dev/urandom of=plaintext.bin bs=128 count=1
|
dd if=/dev/urandom of=plaintext.bin bs=128 count=1
|
||||||
|
|
||||||
# Encode the secret key also as base64 text (with all whitespace removed)
|
# Encode the secret key also as base64 text (with all whitespace removed)
|
||||||
base64 < plaintext.bin | tr -d '\n\r\t ' > plaintext.base64
|
base64 < plaintext.bin | tr -d '\n\r\t ' > plaintext.base64
|
||||||
|
|
||||||
# Encrypt this newly generated (binary) LUKS decryption key using the public key whose private key is on the
|
# Encrypt this newly generated (binary) LUKS decryption key using the public key whose private key is on the
|
||||||
# Yubikey, store the result in /etc/encrypted-luks-key.bin, where we'll look for it during boot.
|
# Yubikey, store the result in /etc/encrypted-luks-key.bin, where we'll look for it during boot.
|
||||||
openssl rsautl -encrypt -pubin -inkey pubkey.pem -in plaintext.bin -out /etc/encrypted-luks-key.bin
|
sudo openssl rsautl -encrypt -pubin -inkey pubkey.pem -in plaintext.bin -out /etc/encrypted-luks-key.bin
|
||||||
|
|
||||||
# Configure the LUKS decryption key on the LUKS device. We use very low pbkdf settings since the key already
|
# Configure the LUKS decryption key on the LUKS device. We use very low pbkdf settings since the key already
|
||||||
# has quite a high quality (it comes directly from /dev/urandom after all), and thus we don't need to do much
|
# has quite a high quality (it comes directly from /dev/urandom after all), and thus we don't need to do much
|
||||||
# key derivation.
|
# key derivation. Replace /dev/sdXn by the partition to use (e.g. sda1)
|
||||||
cryptsetup luksAddKey /dev/sda1 plaintext.base64 --pbkdf=pbkdf2 --pbkdf-force-iterations=1000
|
sudo cryptsetup luksAddKey /dev/sdXn plaintext.base64 --pbkdf=pbkdf2 --pbkdf-force-iterations=1000
|
||||||
|
|
||||||
# Now securely delete the plain text LUKS key, we don't need it anymore, and since it contains secret key
|
# Now securely delete the plain text LUKS key, we don't need it anymore, and since it contains secret key
|
||||||
# material it should be removed from disk thoroughly.
|
# material it should be removed from disk thoroughly.
|
||||||
|
|
@ -39,7 +41,7 @@ rm pubkey.pem
|
||||||
|
|
||||||
# Test: Let's run systemd-cryptsetup to test if this all worked. The option string should contain the full
|
# Test: Let's run systemd-cryptsetup to test if this all worked. The option string should contain the full
|
||||||
# PKCS#11 URI we have in the clipboard, it tells the tool how to decypher the encrypted LUKS key.
|
# PKCS#11 URI we have in the clipboard, it tells the tool how to decypher the encrypted LUKS key.
|
||||||
systemd-cryptsetup attach mytest /dev/sda1 /etc/encrypted-luks-key.bin 'pkcs11-uri=pkcs11:…'
|
sudo systemd-cryptsetup attach mytest /dev/sdXn /etc/encrypted-luks-key.bin 'pkcs11-uri=pkcs11:…'
|
||||||
|
|
||||||
# If that worked, let's now add the same line persistently to /etc/crypttab, for the future.
|
# If that worked, let's now add the same line persistently to /etc/crypttab, for the future.
|
||||||
echo "mytest /dev/sda1 /etc/encrypted-luks-key 'pkcs11-uri=pkcs11:…' >> /etc/crypttab
|
sudo bash -c 'echo "mytest /dev/sdXn /etc/encrypted-luks-key \'pkcs11-uri=pkcs11:…\'" >> /etc/crypttab'
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue