From 28df7b4320088641e6cdc42a0a168c1e72866dda Mon Sep 17 00:00:00 2001 From: Benjamin Pereto Date: Tue, 6 Jan 2015 20:02:23 +0100 Subject: updated README-dracut.md --- README-dracut.md | 62 +++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/README-dracut.md b/README-dracut.md index bdbe718..9eb7664 100644 --- a/README-dracut.md +++ b/README-dracut.md @@ -9,12 +9,21 @@ Requirements To compile and use yubikey full disk encryption you need: -[...] +* libyubikey-devel +* ykpers-devel +* iniparser-devel +* libarchive-devel +* cryptsetup-devel +* python-markdown +* systemd-devel Build and install ----------------- -Building and installing is very easy. Just run: +Building and installing is very easy. Make sure you have a Softlink from markdown to markdown_py +> ln -s /bin/markdown_py /bin/markdown + +Just run: > make @@ -28,10 +37,12 @@ Usage ----- Make sure systemd knows about your encrypted device by -adding a line to `/etc/crypttab.initramfs`. It should read like: +adding a line to `/etc/crypttab`. It should read like: > `mapping-name` /dev/`LUKS-device` - +Normally, there is already an entry for your device. + Update `/etc/ykfde.conf` with correct settings. Add `mapping-name` from above to `device name` in the `general` section. Then add a new section with your key's decimal serial number containing the key slot setting. @@ -56,10 +67,47 @@ This will store a challenge in `/etc/ykfde.d/` and add a new slot to your LUKS device. When `ykfde` asks for a password it requires a valid password from available slot. -[...] +Build the dracut: + +> dracut -f + +Now you have two choices. If you want, that the challenges are updated every boot, go on. else stop here. + +### change challenges on boot + +To change the challenges every boot it takes too long to generate whole new initramfs. So we load an additional initram with the bootloader. + +Build the cpio archive with the challenges: + +> ykfde-cpio + +Setup your bootloader with the the additional initram '/boot/ykfde-challenges.img' + +#### Setup GRUB2 + +For ex. change /boot/grub2/grub.cfg + + initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img + +to + + initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img /ykfde-challenges.img + + +with EFI /boot/efi/../grub.cfg + + initrdefi /initramfs-3.17.7-300.fc21.x86_64.img + +to + + initrdefi /initramfs-3.17.7-300.fc21.x86_64.img /ykfde-challenges.img + +### enable service + +Enable `systemd` service `ykfde-cpio.service`. it generate every boot a new challenge and updates the initram `ykfde-challenges.img` and the LUKS passphrase. + +*Be carefully:* Do not enable if you haven't setup the bootloader with the ykfde-challenges.img. If you do, you have to rebuild with dracut manually every time the service is executed. + -Additionally enable `systemd` service `ykfde-cpio.service` and make your -bootloader load the new `cpio` image `/boot/ykfde-challenges.img` (in -addition to your usual initramfs). Reboot and have fun! -- cgit v1.2.3-70-g09d2 From c573cf05158b38c273727898d472280b7e858b51 Mon Sep 17 00:00:00 2001 From: Benjamin Pereto Date: Tue, 6 Jan 2015 20:13:26 +0100 Subject: make challenges available in the main initramfs --- dracut/module-setup.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dracut/module-setup.sh b/dracut/module-setup.sh index 86fcd32..d907ba7 100755 --- a/dracut/module-setup.sh +++ b/dracut/module-setup.sh @@ -15,6 +15,7 @@ install() { inst_simple "$moddir/ykfde.sh" /sbin/ykfde.sh inst_simple /usr/lib/udev/ykfde inst_simple /etc/ykfde.conf + inst_dir /etc/ykfde.d/* dracut_need_initqueue } -- cgit v1.2.3-70-g09d2