From e6ec09692be2a80747164fbca9036cf699ab2d85 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 20 Jan 2016 21:37:30 +0100 Subject: update the dracut stuff Not tested, though... --- README-dracut.md | 59 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 30 insertions(+), 29 deletions(-) (limited to 'README-dracut.md') diff --git a/README-dracut.md b/README-dracut.md index 9573980..d84f4b9 100644 --- a/README-dracut.md +++ b/README-dracut.md @@ -16,6 +16,7 @@ To compile and use yubikey full disk encryption you need: * cryptsetup-devel * python-markdown * systemd-devel +* keyutils-libs-devel Build and install ----------------- @@ -38,17 +39,19 @@ This will place files to their desired places in filesystem. Usage ----- +### config files `/etc/crypttab` and `/etc/ykfde.conf` + Make sure systemd knows about your encrypted device by adding a line to `/etc/crypttab`. It should read like: > `mapping-name` /dev/`LUKS-device` - -Normally, there is already an entry for your device. +Usually there is already an entry for your device. Update `/etc/ykfde.conf` with correct settings. Add `mapping-name` from above to `device name` in the `general` section. Then add a new section with your key's decimal serial number containing the key slot setting. -The file should look like this: +The minimal file should look like this: [general] device name = crypt @@ -59,7 +62,10 @@ The file should look like this: *Be warned*: Do not remove or overwrite your interactive key! Keep that for backup and rescue! -`ykfde` will read its information from these files. Then prepare +### key setup + +`ykfde` will read its information from these files and understands some +additional options. Run `ykfde --help` for details. Then prepare the key. Plug it in, make sure it is configured for `HMAC-SHA1`. After that run: @@ -69,47 +75,42 @@ This will store a challenge in `/etc/ykfde.d/` and add a new slot to your LUKS device. When `ykfde` asks for a password it requires a valid password from available slot. -Build the dracut: - -> dracut -f - -Now you have two choices. If you want, that the challenges are updated every boot, go on. else stop here. - -### change challenges on boot +Adding a key with second factor is as easy: -To change the challenges every boot it takes too long to generate whole new initramfs. So we load an additional initram with the bootloader. +> ykfde -s 2nd-factor -Build the cpio archive with the challenges: +And updating key and second factor is straight forward: -> ykfde-cpio - -Setup your bootloader with the the additional initram '/boot/ykfde-challenges.img' - -#### Setup GRUB2 +> ykfde -s old-2nd-factor -n new-2nd-factor -For ex. change /boot/grub2/grub.cfg +Make sure to enable second factor in `/etc/ykfde.conf`. - initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img +### cpio archive with challenges -to - - initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img /ykfde-challenges.img +Every time you update a challenge and/or a second factor run: +> ykfde-cpio -with EFI /boot/efi/../grub.cfg +This will write a cpio archive `/boot/ykfde-challenges.img` containing +your current challenges. Enable systemd service `ykfde` to do this +automatically on every boot: - initrdefi /initramfs-3.17.7-300.fc21.x86_64.img +> systemctl enable ykfde.service -to +### `dracut` - initrdefi /initramfs-3.17.7-300.fc21.x86_64.img /ykfde-challenges.img +Build the initramfs: -### enable service +> dracut -f -Enable `systemd` service `ykfde-cpio.service`. it generate every boot a new challenge and updates the initram `ykfde-challenges.img` and the LUKS passphrase. +### boot loader -*Be carefully:* Do not enable if you haven't setup the bootloader with the ykfde-challenges.img. If you do, you have to rebuild with dracut manually every time the service is executed. +Update you `grub` configuration by running: +> grub2-mkconfig -o /boot/grub/grub.cfg +This will add new boot entry that loads the challenges. With other boot +loaders make sure to load the cpio archive `/boot/ykfde-challenges.img` +as additional initramfs. Reboot and have fun! -- cgit v1.2.3-54-g00ecf