-
Notifications
You must be signed in to change notification settings - Fork 56
/
yubikey-luks-enroll
executable file
·111 lines (94 loc) · 3.36 KB
/
yubikey-luks-enroll
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/bin/sh
SLOT=7
DISK="/dev/sda3"
CLEAR_SLOT=0
DBG=0
YUBIKEY_LUKS_SLOT=2 #Set this in case the value is missing in /etc/ykluks.cfg
set -e
. /etc/ykluks.cfg
if [ "$(id -u)" -ne 0 ]; then
echo "You must be root." 1>&2
exit 1
fi
while getopts ":s:d:y:hcv" opt; do
case $opt in
s)
SLOT=$OPTARG
echo "setting slot to $OPTARG."
;;
d)
DISK=$OPTARG
echo "setting disk to $OPTARG."
;;
y)
if [ ! "$YUBIKEY_LUKS_SLOT" = "$OPTARG" ]; then
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "WARNING: You are enrolling slot $OPTARG of your yubikey."
echo "During boot, slot $YUBIKEY_LUKS_SLOT is configured to be used (/etc/ykluks.cfg)."
echo "You will therefore not be able to boot using this setup!"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
fi
YUBIKEY_LUKS_SLOT=$OPTARG
echo "setting yubikey slot to $OPTARG."
;;
c)
CLEAR_SLOT=1
echo "clearing slot"
;;
v) DBG=1
echo "debugging enabled"
;;
h)
echo
echo " -d <partition>: set the partition"
echo " -s <slot> : set the LUKS slot"
echo " -y <slot> : set the yubikey slot to use"
echo " -c : clear the slot prior to writing"
echo " -v : show input/output in cleartext"
echo
exit 1
;;
\?)
echo "Invalid option: -$OPTARG" >&2
;;
esac
done
echo "This script will utilize the YubiKey slot $YUBIKEY_LUKS_SLOT for slot $SLOT on drive $DISK. If this is not what you intended, exit now!"
if [ "$CLEAR_SLOT" = "1" ]; then
echo "Killing LUKS slot $SLOT"
cryptsetup luksKillSlot "$DISK" "$SLOT"
fi
echo "Adding yubikey to initrd"
while true ; do
if lsusb | grep -iq 'yubico'; then break; fi
printf "Please insert a yubikey and press enter."
read -r _ <&1
done
P1=$(/lib/cryptsetup/askpass "Please enter the yubikey challenge password. This is the password that will only work while your yubikey is installed in your computer:")
if [ "$DBG" = "1" ]; then echo "Password: $P1"; fi
P2=$(/lib/cryptsetup/askpass "Please enter the yubikey challenge password again:")
if [ "$DBG" = "1" ]; then echo "Password: $P2"; fi
if [ "$P1" != "$P2" ]; then
echo "Passwords do not match"
exit 1
fi
if [ "$HASH" = "1" ]; then
P1=$(printf %s "$P1" | sha256sum | awk '{print $1}')
if [ "$DBG" = "1" ]; then echo "Password hash: $P1"; fi
fi
R="$(printf %s "$P1" | ykchalresp -"$YUBIKEY_LUKS_SLOT" -i- 2>/dev/null || true)"
if [ "$DBG" = "1" ]; then echo "Yubikey response: $R"; fi
if [ -z "$R" ]; then
echo "Yubikey not available or timed out waiting for button press"
exit 1
fi
OLD=$(/lib/cryptsetup/askpass "Please provide an existing passphrase. This is NOT the passphrase you just entered, this is the passphrase that you currently use to unlock your LUKS encrypted drive:")
if [ "$DBG" = "1" ]; then echo "Old passphrase: $OLD"; fi
if [ "$CONCATENATE" = "1" ]; then
printf '%s\n' "$OLD" "$P1$R" "$P1$R" | cryptsetup --key-slot="$SLOT" luksAddKey "$DISK" 2>&1;
if [ "$DBG" = "1" ]; then echo "LUKS key: $P1$R"; fi
else
printf '%s\n' "$OLD" "$R" "$R" | cryptsetup --key-slot="$SLOT" luksAddKey "$DISK" 2>&1;
if [ "$DBG" = "1" ]; then echo "LUKS key: $R"; fi
fi
exit 0