summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--bin/ykfde91
-rw-r--r--hook/ykfde36
-rw-r--r--install/ykfde13
3 files changed, 140 insertions, 0 deletions
diff --git a/bin/ykfde b/bin/ykfde
new file mode 100644
index 0000000..56e75a7
--- /dev/null
+++ b/bin/ykfde
@@ -0,0 +1,91 @@
+#!/bin/sh
+
+function help() {
+ echo "usage: ${0} [OPTIONS]"
+ echo
+ echo "where OPTIONS are:"
+ echo " -1 use Yubico key slot 1"
+ echo " -2 use Yubico key slot 2"
+ echo " -d DEVICE add key to device DEVICE"
+ echo " -h show this help"
+ echo " -k keep challenge, just add a new slot"
+}
+
+DIR="/tmp/.ykfde-${$}/"
+PASS=""
+SLOT="1"
+KEEP="0"
+
+while getopts "12d:hk" opt; do
+ case ${opt} in
+ 1)
+ SLOT="1"
+ ;;
+ 2)
+ SLOT="2"
+ echo "Do not forget to add 'ykfde_slot=2' to your boot parameters!"
+ ;;
+ d)
+ DEVICE="${OPTARG}"
+ ;;
+ h)
+ help
+ exit 0
+ ;;
+ k)
+ KEEP="1"
+ ;;
+ esac
+done
+
+if [ -z "${DEVICE}" ]; then
+ echo "No device given." >&2
+ help
+ exit 1
+elif [ ! -b "${DEVICE}" ]; then
+ echo "Device '${DEVICE}' does not exist or is not a block device." >&2
+ exit 1
+elif ! cryptsetup isLuks "${DEVICE}" 2>/dev/null; then
+ echo "Device '${DEVICE}' does not exist." >&2
+ exit 1
+fi
+
+install -d -m0700 "${DIR}"
+echo "Please give extra password if you want to activate two factor"
+echo -n "authentication, just ENTER for none: "
+stty -echo
+read PASS
+stty echo
+echo
+
+if [ -n "${PASS}" ]; then
+ echo "Do not forget to add 'ykfde_twofactor=y' to your boot parameters!"
+fi
+
+# generate challenge
+if [ "${KEEP}" = "1" ] && [ -s "/etc/ykfde-challenge" ]; then
+ echo "User requested to keep challenge, not generating a new one."
+ ln -s "/etc/ykfde-challenge" "${DIR}/ykfde-challenge"
+else
+ makepasswd --chars=$((64-${#PASS})) | tr -d '\n' > "${DIR}/ykfde-challenge"
+fi
+
+# generate response and add key to LUKS device
+if ! ykchalresp -${SLOT} "${PASS}$(cat ${DIR}/ykfde-challenge)" > "${DIR}/ykfde-response"; then
+ # ykchalresp should have shouted, so do not complain here
+ exit 1
+fi
+if ! cryptsetup luksAddKey "${DEVICE}" "${DIR}/ykfde-response"; then
+ # cryptsetup should have shouted, ...
+ exit 1
+fi
+
+# shred response and install challenge
+shred --remove "${DIR}/ykfde-response"
+if [ "${KEEP}" != "1" ] && [ -s "${DIR}/ykfde-challenge" ] && [ ! -L "${DIR}/ykfde-challenge" ]; then
+ install -D -m 0400 "${DIR}/ykfde-challenge" "/etc/ykfde-challenge"
+fi
+rm -rf "${DIR}"
+
+echo "Please do not forget to remove old keys when changing challenge!"
+echo "Now run 'mkinitcpio' to build a new initramfs!"
diff --git a/hook/ykfde b/hook/ykfde
new file mode 100644
index 0000000..be75694
--- /dev/null
+++ b/hook/ykfde
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+run_hook() {
+ ykfde_slot="${ykfde_slot:-1}"
+ ykfde_count=0
+
+ if [ -s /ykfde-challenge ]; then
+ modprobe -a -q usbhid >/dev/null 2>&1
+
+ if [ "${ykfde_twofactor}" = "y" ]; then
+ echo -n "Please give two factor key for Yubikey: "
+ stty -echo
+ read TWOFACTOR
+ stty echo
+ echo
+ else
+ TWOFACTOR=""
+ fi
+
+ # Any chance to get this more efficient? Without polling and without long sleep times would be great.
+ while ! ykchalresp -${ykfde_slot} "${TWOFACTOR}$(cat /ykfde-challenge)" > /crypto_keyfile.bin 2>/dev/null; do
+ if [ $((ykfde_count++)) -gt 10 ]; then
+ msg ":: No Yubikey presend, fallback to interactive mode"
+ rm -f /ykfde-challenge
+ return 1
+ fi
+ sleep 0.3
+ done
+
+ msg ":: Created crypto keyfile using Yubikey, handing over to encrypt hook"
+ rm -f /ykfde-challenge
+ else
+ msg ":: No challenge found, falling back to interactive mode"
+ return 1
+ fi
+}
diff --git a/install/ykfde b/install/ykfde
new file mode 100644
index 0000000..bbf5bd2
--- /dev/null
+++ b/install/ykfde
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+build() {
+ add_runscript
+ add_binary ykchalresp
+ add_file /etc/ykfde-challenge /
+ add_module 'usbhid'
+}
+
+help() {
+ echo "This hook adds support for opening LUKS devices with Yubico key."
+ echo "Please use command 'ykfde' to prepare."
+}