diff options
-rw-r--r-- | README-dracut.md | 59 | ||||
-rw-r--r-- | README-mkinitcpio.md | 2 | ||||
-rwxr-xr-x | dracut/module-setup.sh | 13 |
3 files changed, 44 insertions, 30 deletions
diff --git a/README-dracut.md b/README-dracut.md index 9573980..d84f4b9 100644 --- a/README-dracut.md +++ b/README-dracut.md @@ -16,6 +16,7 @@ To compile and use yubikey full disk encryption you need: * cryptsetup-devel * python-markdown * systemd-devel +* keyutils-libs-devel Build and install ----------------- @@ -38,17 +39,19 @@ This will place files to their desired places in filesystem. Usage ----- +### config files `/etc/crypttab` and `/etc/ykfde.conf` + Make sure systemd knows about your encrypted device by adding a line to `/etc/crypttab`. It should read like: > `mapping-name` /dev/`LUKS-device` - -Normally, there is already an entry for your device. +Usually there is already an entry for your device. Update `/etc/ykfde.conf` with correct settings. Add `mapping-name` from above to `device name` in the `general` section. Then add a new section with your key's decimal serial number containing the key slot setting. -The file should look like this: +The minimal file should look like this: [general] device name = crypt @@ -59,7 +62,10 @@ The file should look like this: *Be warned*: Do not remove or overwrite your interactive key! Keep that for backup and rescue! -`ykfde` will read its information from these files. Then prepare +### key setup + +`ykfde` will read its information from these files and understands some +additional options. Run `ykfde --help` for details. Then prepare the key. Plug it in, make sure it is configured for `HMAC-SHA1`. After that run: @@ -69,47 +75,42 @@ This will store a challenge in `/etc/ykfde.d/` and add a new slot to your LUKS device. When `ykfde` asks for a password it requires a valid password from available slot. -Build the dracut: - -> dracut -f - -Now you have two choices. If you want, that the challenges are updated every boot, go on. else stop here. - -### change challenges on boot +Adding a key with second factor is as easy: -To change the challenges every boot it takes too long to generate whole new initramfs. So we load an additional initram with the bootloader. +> ykfde -s 2nd-factor -Build the cpio archive with the challenges: +And updating key and second factor is straight forward: -> ykfde-cpio - -Setup your bootloader with the the additional initram '/boot/ykfde-challenges.img' - -#### Setup GRUB2 +> ykfde -s old-2nd-factor -n new-2nd-factor -For ex. change /boot/grub2/grub.cfg +Make sure to enable second factor in `/etc/ykfde.conf`. - initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img +### cpio archive with challenges -to - - initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img /ykfde-challenges.img +Every time you update a challenge and/or a second factor run: +> ykfde-cpio -with EFI /boot/efi/../grub.cfg +This will write a cpio archive `/boot/ykfde-challenges.img` containing +your current challenges. Enable systemd service `ykfde` to do this +automatically on every boot: - initrdefi /initramfs-3.17.7-300.fc21.x86_64.img +> systemctl enable ykfde.service -to +### `dracut` - initrdefi /initramfs-3.17.7-300.fc21.x86_64.img /ykfde-challenges.img +Build the initramfs: -### enable service +> dracut -f -Enable `systemd` service `ykfde-cpio.service`. it generate every boot a new challenge and updates the initram `ykfde-challenges.img` and the LUKS passphrase. +### boot loader -*Be carefully:* Do not enable if you haven't setup the bootloader with the ykfde-challenges.img. If you do, you have to rebuild with dracut manually every time the service is executed. +Update you `grub` configuration by running: +> grub2-mkconfig -o /boot/grub/grub.cfg +This will add new boot entry that loads the challenges. With other boot +loaders make sure to load the cpio archive `/boot/ykfde-challenges.img` +as additional initramfs. Reboot and have fun! diff --git a/README-mkinitcpio.md b/README-mkinitcpio.md index 7efa3f9..93f017b 100644 --- a/README-mkinitcpio.md +++ b/README-mkinitcpio.md @@ -44,6 +44,8 @@ adding a line to `/etc/crypttab.initramfs`. It should read like: > `mapping-name` /dev/`LUKS-device` - +Usually there is already an entry for your device. + Update `/etc/ykfde.conf` with correct settings. Add `mapping-name` from above to `device name` in the `general` section. Then add a new section with your key's decimal serial number containing the key slot setting. diff --git a/dracut/module-setup.sh b/dracut/module-setup.sh index d907ba7..4a06e84 100755 --- a/dracut/module-setup.sh +++ b/dracut/module-setup.sh @@ -10,12 +10,23 @@ depends() { } install() { + # install basic files to initramfs inst_rules "$moddir/20-ykfde.rules" inst_hook cmdline 30 "$moddir/parse-mod.sh" inst_simple "$moddir/ykfde.sh" /sbin/ykfde.sh inst_simple /usr/lib/udev/ykfde inst_simple /etc/ykfde.conf - inst_dir /etc/ykfde.d/* + + # this is required for second factor + if egrep -qi 'second factor = (yes|true|1)' /etc/ykfde.conf; then + inst_simple /usr/lib/systemd/system/cryptsetup-pre.target + inst_simple /usr/lib/systemd/system/ykfde-2f.service + ln_r $systemdsystemunitdir/ykfde-2f.service $systemdsystemunitdir/sysinit.target.wants/ykfde-2f.service + inst_simple /usr/lib/systemd/scripts/ykfde-2f + inst_simple /usr/bin/keyctl + inst_simple /usr/bin/systemd-ask-password + + fi dracut_need_initqueue } |