forked from cornelinux/yubikey-luks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
yubikey-luks-enroll
executable file
·125 lines (107 loc) · 3.33 KB
/
yubikey-luks-enroll
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/bin/sh
SLOT=7
DISK="/dev/sda3"
CLEAR_SLOT=0
DBG=0
set -e
. /etc/ykluks.cfg
if [ "$(id -u)" -ne 0 ]; then
echo "You must be root." 1>&2
exit 1
fi
while getopts ":s:d:hcv" opt; do
case $opt in
s)
if [ "$OPTARG" -gt -1 ] && [ "$OPTARG" -lt 8 ]; then
SLOT=$OPTARG
echo "Setting slot to $OPTARG."
else
echo "Invalid slot specified, choose one slot between 0 and 7 or omit this option to choose the default ($SLOT)"
exit 3
fi
;;
d)
if [ -b "$OPTARG" ]; then #Check it's a block device
DISK=$OPTARG
echo "Setting disk to $OPTARG."
else
echo "$OPTARG is not a block device!"
exit 4
fi
;;
c) CLEAR_SLOT=1
echo "Clearing slot"
;;
v) DBG=1
echo "Debugging enabled"
;;
h)
echo
echo " -d <partition>: set the partition"
echo " -s <slot> : set the slot"
echo " -c : clear the slot prior to writing"
echo " -v : show input/output in cleartext"
echo
exit 1
;;
\?)
echo "Invalid option: -$OPTARG" >&2
;;
esac
done
echo "This script will utilize slot $SLOT on drive $DISK. If this is not what you intended, exit now!"
if [ "$CLEAR_SLOT" = "1" ]; then
echo "Killing LUKS slot $SLOT"
cryptsetup luksKillSlot "$DISK" "$SLOT"
else
SLOT_STATUS=$(cryptsetup luksDump "$DISK" | grep "Key Slot $SLOT" | awk '{print $4}')
if [ "$SLOT_STATUS" != 'DISABLED' ]; then
echo "Slot $SLOT is occupied and -c is not specified! Clear this slot before attempting to set a new key."
exit 2
fi
fi
echo "Adding yubikey to initrd"
while true ; do
if lsusb | grep -iq 'yubico'; then break; fi
printf "Please insert a yubikey and press enter."
read -r _ <&1
done
P1=$(/lib/cryptsetup/askpass "Please enter the yubikey challenge password. This is the password that will only work while your yubikey is installed in your computer:")
if [ "$DBG" = "1" ]; then echo "Password: $P1"; fi
P2=$(/lib/cryptsetup/askpass "Please enter the yubikey challenge password again:")
if [ "$DBG" = "1" ]; then echo "Password: $P2"; fi
if [ "$P1" != "$P2" ]; then
echo "Passwords do not match"
exit 1
fi
if [ "$HASH" = "1" ]; then
P1=$(printf %s "$P1" | sha256sum | awk '{print $1}')
if [ "$DBG" = "1" ]; then echo "Password hash: $P1"; fi
fi
R="$(ykchalresp "-$YUBIKEY_SLOT" "$P1" 2>/dev/null || true)"
if [ "$DBG" = "1" ]; then echo "Yubikey response: $R"; fi
if [ -z "$R" ]; then
echo "Yubikey not available or timed out waiting for button press"
exit 1
fi
OLD=$(/lib/cryptsetup/askpass "Please provide an existing passphrase. This is NOT the passphrase you just entered, this is the passphrase that you currently use to unlock your LUKS encrypted drive:")
if [ "$DBG" = "1" ]; then echo "Old passphrase: $OLD"; fi
if [ "$CONCATENATE" = "1" ]; then
printf '%s\n' "$OLD" "$P1$R" "$P1$R" | cryptsetup --key-slot="$SLOT" luksAddKey "$DISK" 2>&1;
if [ "$DBG" = "1" ]; then echo "LUKS key: $P1$R"; fi
else
printf '%s\n' "$OLD" "$R" "$R" | cryptsetup --key-slot="$SLOT" luksAddKey "$DISK" 2>&1;
if [ "$DBG" = "1" ]; then echo "LUKS key: $R"; fi
fi
# add keyscript to /etc/crypttab
if [ -b "${DISK}" ]
then
echo "${DISK} searching from disk/by-uuid"
UUID="$( blkid -s UUID -o value "$DISK" )"
fi
if ! grep 'keyscript=/usr/share/yubikey-luks/ykluks-keyscript' /etc/crypttab
then
sed -i "/${UUID}/ s/$/,keyscript=\/usr\/share\/yubikey-luks\/ykluks-keyscript/" /etc/crypttab
update-initramfs -u
fi
exit 0