man/yubikey-crypttab.sh

   1 # SPDX-License-Identifier: MIT-0
   2
   3 # Destroy any old key on the Yubikey (careful!)
   4 ykman piv reset
   5
   6 # Generate a new private/public key pair on the device, store the public key in
   7 # 'pubkey.pem'.
   8 ykman piv generate-key -a RSA2048 9d pubkey.pem
   9
  10 # Create a self-signed certificate from this public key, and store it on the
  11 # device. The "subject" should be an arbitrary user-chosen string to identify
  12 # the token with.
  13 ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
  14
  15 # We don't need the public key anymore, let's remove it. Since it is not
  16 # security sensitive we just do a regular "rm" here.
  17 rm pubkey.pem
  18
  19 # Enroll the freshly initialized security token in the LUKS2 volume. Replace
  20 # /dev/sdXn by the partition to use (e.g. /dev/sda1).
  21 sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn
  22
  23 # Test: Let's run systemd-cryptsetup to test if this all worked.
  24 sudo systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto
  25
  26 # If that worked, let's now add the same line persistently to /etc/crypttab,
  27 # for the future. We don't want to use the (unstable) /dev/sdX name, so let's
  28 # figure out a stable link:
  29 udevadm info -q -r symlink /dev/sdXn
  30
  31 # Now add the line using the by-uuid symlink to /etc/crypttab:
  32 sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - pkcs11-uri=auto" >>/etc/crypttab'
  33
  34 # Depending on your distribution and encryption setup, you may need to manually
  35 # regenerate your initramfs to be able to use a Yubikey / PKCS#11 token to
  36 # unlock the partition during early boot.
  37 # More information at https://unix.stackexchange.com/a/705809.
  38 # On Fedora based systems:
  39 sudo dracut --force
  40 # On Debian based systems:
  41 sudo update-initramfs -u