aboutsummaryrefslogtreecommitdiffstats
path: root/bin/ykfde
blob: 41601b1ce1cbfb8fa9495503fd3bf8d1855f2135 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/sh

function help() {
	echo "usage: ${0} [OPTIONS]"
	echo
	echo "where OPTIONS are:"
	echo " -1         use Yubico key slot 1"
	echo " -2         use Yubico key slot 2 (default)"
	echo " -h         show this help"
}

DEVICE="$(egrep -v '^(#|$)' /etc/crypttab.initramfs 2>/dev/null | head -n1 | sed 's/\s\+/:/g' | cut -d: -f2)"
SERIAL="$(ykinfo -sq)"
SLOT="2"
TMPDIR="$(mktemp --directory --tmpdir=/tmp/ .$(basename ${0})-${$}-XXXXXX)"

while getopts "12h" opt; do
	case ${opt} in
		1)
			SLOT="1"
			;;
		2)
			SLOT="2"
			;;
		h)
			help
			exit 0
			;;
	esac
done

# check we have all information
if [ -z "${DEVICE}" ]; then
	echo "Failed to get device from /etc/crypttab.initramfs." >&2
	exit 1
elif [ ! -b "${DEVICE}" ]; then
	echo "Device '${DEVICE}' does not exist or is not a block device." >&2
	exit 1
elif ! cryptsetup isLuks "${DEVICE}" 2>/dev/null; then
	echo "Device '${DEVICE}' is not a LUKS device." >&2
	exit 1
elif [ -z "${SERIAL}" ]; then
	echo "Did not get a serial number from key. Did you insert one?" >&2
	exit 1
fi

# This directroy should exist, but we create it in case it does not
if [ ! -d "/etc/ykfde.d/" ]; then
	install -d -m 0700 "/etc/ykfde.d/"
fi

# generate the challenge
if ! makepasswd --chars=64 | tr -d '\n' > "/etc/ykfde.d/challenge-${SERIAL}"; then
	exit 1
fi

# generate response
if ! ykchalresp -${SLOT} "$(cat "/etc/ykfde.d/challenge-${SERIAL}")" | tr -d '\n' > "${TMPDIR}/ykfde-response"; then
	# ykchalresp should have shouted, so do not complain here
	exit 1
fi

# add key to LUKS device
if ! cryptsetup luksAddKey "${DEVICE}" "${TMPDIR}/ykfde-response"; then
	# cryptsetup should have shouted, ...
	exit 1
fi

# shred response and remove temporary directory
shred --remove "${TMPDIR}/ykfde-response"
rm -rf "${TMPDIR}"

echo "Please do not forget to remove old keys when changing challenge!"
echo "Now run 'mkinitcpio' to build a new initramfs!"