aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README-dracut.md59
-rw-r--r--README-mkinitcpio.md2
-rwxr-xr-xdracut/module-setup.sh13
3 files changed, 44 insertions, 30 deletions
diff --git a/README-dracut.md b/README-dracut.md
index 9573980..d84f4b9 100644
--- a/README-dracut.md
+++ b/README-dracut.md
@@ -16,6 +16,7 @@ To compile and use yubikey full disk encryption you need:
* cryptsetup-devel
* python-markdown
* systemd-devel
+* keyutils-libs-devel
Build and install
-----------------
@@ -38,17 +39,19 @@ This will place files to their desired places in filesystem.
Usage
-----
+### config files `/etc/crypttab` and `/etc/ykfde.conf`
+
Make sure systemd knows about your encrypted device by
adding a line to `/etc/crypttab`. It should read like:
> `mapping-name` /dev/`LUKS-device` -
-Normally, there is already an entry for your device.
+Usually there is already an entry for your device.
Update `/etc/ykfde.conf` with correct settings. Add `mapping-name` from
above to `device name` in the `general` section. Then add a new section
with your key's decimal serial number containing the key slot setting.
-The file should look like this:
+The minimal file should look like this:
[general]
device name = crypt
@@ -59,7 +62,10 @@ The file should look like this:
*Be warned*: Do not remove or overwrite your interactive key! Keep that
for backup and rescue!
-`ykfde` will read its information from these files. Then prepare
+### key setup
+
+`ykfde` will read its information from these files and understands some
+additional options. Run `ykfde --help` for details. Then prepare
the key. Plug it in, make sure it is configured for `HMAC-SHA1`.
After that run:
@@ -69,47 +75,42 @@ This will store a challenge in `/etc/ykfde.d/` and add a new slot to
your LUKS device. When `ykfde` asks for a password it requires a valid
password from available slot.
-Build the dracut:
-
-> dracut -f
-
-Now you have two choices. If you want, that the challenges are updated every boot, go on. else stop here.
-
-### change challenges on boot
+Adding a key with second factor is as easy:
-To change the challenges every boot it takes too long to generate whole new initramfs. So we load an additional initram with the bootloader.
+> ykfde -s 2nd-factor
-Build the cpio archive with the challenges:
+And updating key and second factor is straight forward:
-> ykfde-cpio
-
-Setup your bootloader with the the additional initram '/boot/ykfde-challenges.img'
-
-#### Setup GRUB2
+> ykfde -s old-2nd-factor -n new-2nd-factor
-For ex. change /boot/grub2/grub.cfg
+Make sure to enable second factor in `/etc/ykfde.conf`.
- initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img
+### cpio archive with challenges
-to
-
- initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img /ykfde-challenges.img
+Every time you update a challenge and/or a second factor run:
+> ykfde-cpio
-with EFI /boot/efi/../grub.cfg
+This will write a cpio archive `/boot/ykfde-challenges.img` containing
+your current challenges. Enable systemd service `ykfde` to do this
+automatically on every boot:
- initrdefi /initramfs-3.17.7-300.fc21.x86_64.img
+> systemctl enable ykfde.service
-to
+### `dracut`
- initrdefi /initramfs-3.17.7-300.fc21.x86_64.img /ykfde-challenges.img
+Build the initramfs:
-### enable service
+> dracut -f
-Enable `systemd` service `ykfde-cpio.service`. it generate every boot a new challenge and updates the initram `ykfde-challenges.img` and the LUKS passphrase.
+### boot loader
-*Be carefully:* Do not enable if you haven't setup the bootloader with the ykfde-challenges.img. If you do, you have to rebuild with dracut manually every time the service is executed.
+Update you `grub` configuration by running:
+> grub2-mkconfig -o /boot/grub/grub.cfg
+This will add new boot entry that loads the challenges. With other boot
+loaders make sure to load the cpio archive `/boot/ykfde-challenges.img`
+as additional initramfs.
Reboot and have fun!
diff --git a/README-mkinitcpio.md b/README-mkinitcpio.md
index 7efa3f9..93f017b 100644
--- a/README-mkinitcpio.md
+++ b/README-mkinitcpio.md
@@ -44,6 +44,8 @@ adding a line to `/etc/crypttab.initramfs`. It should read like:
> `mapping-name` /dev/`LUKS-device` -
+Usually there is already an entry for your device.
+
Update `/etc/ykfde.conf` with correct settings. Add `mapping-name` from
above to `device name` in the `general` section. Then add a new section
with your key's decimal serial number containing the key slot setting.
diff --git a/dracut/module-setup.sh b/dracut/module-setup.sh
index d907ba7..4a06e84 100755
--- a/dracut/module-setup.sh
+++ b/dracut/module-setup.sh
@@ -10,12 +10,23 @@ depends() {
}
install() {
+ # install basic files to initramfs
inst_rules "$moddir/20-ykfde.rules"
inst_hook cmdline 30 "$moddir/parse-mod.sh"
inst_simple "$moddir/ykfde.sh" /sbin/ykfde.sh
inst_simple /usr/lib/udev/ykfde
inst_simple /etc/ykfde.conf
- inst_dir /etc/ykfde.d/*
+
+ # this is required for second factor
+ if egrep -qi 'second factor = (yes|true|1)' /etc/ykfde.conf; then
+ inst_simple /usr/lib/systemd/system/cryptsetup-pre.target
+ inst_simple /usr/lib/systemd/system/ykfde-2f.service
+ ln_r $systemdsystemunitdir/ykfde-2f.service $systemdsystemunitdir/sysinit.target.wants/ykfde-2f.service
+ inst_simple /usr/lib/systemd/scripts/ykfde-2f
+ inst_simple /usr/bin/keyctl
+ inst_simple /usr/bin/systemd-ask-password
+
+ fi
dracut_need_initqueue
}