Luks open (#1)

* Add yubikey-luks-open script It allows for opening LUKS containers protected with yubikey-luks outside initramfs. It's useful for external encrypted disks or system rescue in case of broken initramfs. * yubikey-luks-open script: add to debian build * Readme: add yubikey-luks-open info * intendation fix
cornelinux · Nov 19, 2017 · cebbbb1 · cebbbb1
1 parent 8cf480d
commit cebbbb1
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -60,6 +60,14 @@ After changing this file, you need to run
 
 so that the changes get transferred to the initramfs.
 
+Open LUKS container protected with yubikey-luks
+------------------------------------
+
+You can open LUKS container protected with yubikey-luks on running system
+
+        yubikey-luks-open
+
+
 Manage several Yubikeys and Machines
 ------------------------------------
 

diff --git a/debian/rules b/debian/rules
@@ -9,6 +9,7 @@ override_dh_install:
 	install -D -o root -g root -m755 script-top debian/yubikey-luks/usr/share/initramfs-tools/scripts/local-top/yubikey-luks
 	install -D -o root -g root -m755 script-bottom debian/yubikey-luks/usr/share/initramfs-tools/scripts/local-bottom/yubikey-luks
 	install -D -o root -g root -m755 key-script debian/yubikey-luks/usr/share/yubikey-luks/ykluks-keyscript
+	install -D -o root -g root -m755 yubikey-luks-open debian/yubikey-luks/usr/bin/yubikey-luks-open
 	install -D -o root -g root -m755 yubikey-luks-enroll debian/yubikey-luks/usr/bin/yubikey-luks-enroll
 	install -D -o root -g root -m644 yubikey-luks-enroll.1 debian/yubikey-luks/usr/man/man1/yubikey-luks-enroll.1
 	install -D -o root -g root -m644 ykluks.cfg debian/yubikey-luks/etc/ykluks.cfg
diff --git a/yubikey-luks-open b/yubikey-luks-open
@@ -0,0 +1,68 @@
+#!/bin/sh
+DISK="/dev/sda3"
+NAME="yubikey-luks"
+DBG=0
+TMP_FILE=/tmp/new_key
+set -e
+. /etc/ykluks.cfg
+
+if [ "$(id -u)" -ne 0 ]; then
+  echo "You must be root." 1>&2
+  exit 1
+fi
+
+while getopts ":d:n:hv" opt; do
+  case $opt in
+	d)
+		DISK=$OPTARG
+		echo "setting disk to $OPTARG."
+		;;
+	n)
+		NAME=$OPTARG
+		echo "setting name to $OPTARG."
+		;;
+		v)      DBG=1
+		echo "debugging enabled"
+		;;
+	h)
+		echo 
+		echo " -d <partition>: set the partition"
+		echo " -n <name>     : set the container name"
+		echo " -v            : show input/output in cleartext"
+		echo
+		exit 1
+		;;
+	\?)
+		echo "Invalid option: -$OPTARG" >&2
+		;;
+  esac
+done
+
+echo "This script will try opening $NAME LUKS container on drive $DISK . If this is not what you intended, exit now!"
+
+P1=$(/lib/cryptsetup/askpass "Please insert a yubikey and enter password created with yubikey-luks-enroll.")
+	if [ "$DBG" = "1" ]; then echo "Password: $P1"; fi
+
+if [ "$HASH" = "1" ]; then
+	P1=$(printf %s "$P1" | sha256sum | awk '{print $1}')
+		if [ "$DBG" = "1" ]; then echo "Password hash: $P1"; fi
+fi
+
+R="$(ykchalresp -2 "$P1" 2>/dev/null || true)"
+	if [ "$DBG" = "1" ]; then echo "Yubikey response: $R"; fi
+
+touch $TMP_FILE
+chmod 600 $TMP_FILE
+
+if [ "$CONCATENATE" = "1" ]; then
+	echo -n "$P1$R" > $TMP_FILE
+		if [ "$DBG" = "1" ]; then echo "LUKS key: $P1$R"; fi
+else
+	echo -n "$R" > $TMP_FILE
+		if [ "$DBG" = "1" ]; then echo "LUKS key: $R"; fi
+fi
+
+cryptsetup --key-file=$TMP_FILE luksOpen "$DISK" "$NAME"
+shred -u $TMP_FILE
+
+exit 0