summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README-dracut.md62
-rwxr-xr-xdracut/module-setup.sh1
2 files changed, 56 insertions, 7 deletions
diff --git a/README-dracut.md b/README-dracut.md
index bdbe718..9eb7664 100644
--- a/README-dracut.md
+++ b/README-dracut.md
@@ -9,12 +9,21 @@ Requirements
To compile and use yubikey full disk encryption you need:
-[...]
+* libyubikey-devel
+* ykpers-devel
+* iniparser-devel
+* libarchive-devel
+* cryptsetup-devel
+* python-markdown
+* systemd-devel
Build and install
-----------------
-Building and installing is very easy. Just run:
+Building and installing is very easy. Make sure you have a Softlink from markdown to markdown_py
+> ln -s /bin/markdown_py /bin/markdown
+
+Just run:
> make
@@ -28,10 +37,12 @@ Usage
-----
Make sure systemd knows about your encrypted device by
-adding a line to `/etc/crypttab.initramfs`. It should read like:
+adding a line to `/etc/crypttab`. It should read like:
> `mapping-name` /dev/`LUKS-device` -
+Normally, there is already an entry for your device.
+
Update `/etc/ykfde.conf` with correct settings. Add `mapping-name` from
above to `device name` in the `general` section. Then add a new section
with your key's decimal serial number containing the key slot setting.
@@ -56,10 +67,47 @@ This will store a challenge in `/etc/ykfde.d/` and add a new slot to
your LUKS device. When `ykfde` asks for a password it requires a valid
password from available slot.
-[...]
+Build the dracut:
+
+> dracut -f
+
+Now you have two choices. If you want, that the challenges are updated every boot, go on. else stop here.
+
+### change challenges on boot
+
+To change the challenges every boot it takes too long to generate whole new initramfs. So we load an additional initram with the bootloader.
+
+Build the cpio archive with the challenges:
+
+> ykfde-cpio
+
+Setup your bootloader with the the additional initram '/boot/ykfde-challenges.img'
+
+#### Setup GRUB2
+
+For ex. change /boot/grub2/grub.cfg
+
+ initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img
+
+to
+
+ initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img /ykfde-challenges.img
+
+
+with EFI /boot/efi/../grub.cfg
+
+ initrdefi /initramfs-3.17.7-300.fc21.x86_64.img
+
+to
+
+ initrdefi /initramfs-3.17.7-300.fc21.x86_64.img /ykfde-challenges.img
+
+### enable service
+
+Enable `systemd` service `ykfde-cpio.service`. it generate every boot a new challenge and updates the initram `ykfde-challenges.img` and the LUKS passphrase.
+
+*Be carefully:* Do not enable if you haven't setup the bootloader with the ykfde-challenges.img. If you do, you have to rebuild with dracut manually every time the service is executed.
+
-Additionally enable `systemd` service `ykfde-cpio.service` and make your
-bootloader load the new `cpio` image `/boot/ykfde-challenges.img` (in
-addition to your usual initramfs).
Reboot and have fun!
diff --git a/dracut/module-setup.sh b/dracut/module-setup.sh
index 86fcd32..d907ba7 100755
--- a/dracut/module-setup.sh
+++ b/dracut/module-setup.sh
@@ -15,6 +15,7 @@ install() {
inst_simple "$moddir/ykfde.sh" /sbin/ykfde.sh
inst_simple /usr/lib/udev/ykfde
inst_simple /etc/ykfde.conf
+ inst_dir /etc/ykfde.d/*
dracut_need_initqueue
}