Skip to main content

A non-intrusive way of storing LUKS keys on PKCS #15 smart cards

By

If you ever wanted to store your LUKS key on a smart card and started to search the internet for solutions, you'd be disappointed. The best guide I managed to find is https://wiki.ubuntu.com/SmartCardLUKSDiskEncryption which wants you to change your transport AUT1 key and uses a whole bunch of various scripts. It's written for usplash as well which isn't really used anymore.

I was amazed of the state of things and after a bit of tinkering I got everything running as a standard PKCS#15 data object and with only two scripts needed. Oh, and it has support for the awesome plymouthd.

You'll need:

  • An initialized (PINs etc.) PKCS#15 capable smart card
  • A reader supported by OpenSC
  • opensc, pcscd

This is written and tested on Debian 7.0 wheezy but should easily work with most other distros. Written from memory, leave me a comment if I forgot to mention something.

Create the key (use a true random source if you're paranoid):

Edit your /etc/crypttab from: to:

Add the key to your LUKS device:

This is /etc/initramfs-tools/hooks/pkcs15: And this /usr/local/sbin/luks-pkcs15.sh: Don't forget to make these files executable.

Update (having a backup of it is a good idea) your initramfs and reboot:

Done!

Worth noting is that I'm using an Aventra MyEID 80k which I needed to patch the myeid.profile in order to create privdata with pkcs15-tool.

Comments

Post a Comment

Popular posts from this blog

Buying an IBM Mainframe

By
I bought an IBM mainframe for personal use. I am doing this for learning and figuring out how it works. If you are curious about what goes into this process, I hope this post will interest you. I am not the first one by far to do something like this. There are some people on the internet that I know have their own personal mainframes, and I have drawn inspiration from each and every one of them. You should follow them if you are interested in these things: @connorkrukosky @sebastian_wind @faultywarrior @kevinbowling1 This post is about buying an IBM z114 mainframe (picture 1) but should translate well to any of the IBM mainframes from z9 to z14. Picture 1: An IBM z114 mainframe in all its glory Source: IBM What to expect of the process Buying a mainframe takes time. I never spent so much time on a purchase before. In fact - I purchased my first apartment with probably less planning and research. Compared to buying an apartment you have no guard rails. You are ...
14 comments
Read more

System z on contemporary zLinux

By
IBM System z supports a handful of operating systems; z/VM, z/VSE, z/OS, z/TPF, and finally zLinux. All the earlier mentioned OSes are proprietary except for zLinux which is simply Linux with a fancy z in the name. zLinux is the term used to describe a Linux distribution compiled for S390 (31 bit) or S390X (64 bit). As we are talking about modern mainframes I will not be discussing S390, only S390X. There is a comfortable amount of distributions that support S390X - more or less all of the popular distributions do. In this  list  we find distributions like Debian, Ubuntu, Gentoo, Fedora, and RHEL. Noticeably Arch is missing but then again they only have an official port for x86-64. This is great - this means that we could download the latest Ubuntu, boot the DVD, and be up and running in no time, right? Well, sadly no. The devil is, as always, in the details. When compiling high level code like C/C++/Go the compiler needs to select an instruction set to use for the compi...
Post a Comment
Read more

Brocade Fabric OS downloads

By
Fabric OS is what runs on the SAN switches I will be using for the mainframe. It has a bit of annoying upgrade path as the guldmyr blog can attest to. TL;DR is that you need to do minor upgrades (6.3 -> 6.4 -> 7.0 -> ... > 7.4) which requires you to get all  Fabric OS images for those versions. Not always easy. So, let's make it a bit easier. Hopefully this will not end up with the links being taken down, but at least it helped somebody I hope. These downloads worked for me and are hash-verified when I could find a hash to verify against. Use at your own risk etc. The URLs are: ftp://ftp.hp.com/pub/softlib/software13/COL59674/co-168954-1/v7.3.2a.zip ftp://ftp.hp.com/pub/softlib/software13/COL59674/co-157071-1/v7.2.1g.zip ftp://ftp.hp.com/pub/softlib/software13/COL59674/co-150357-1/v7.1.2b.zip ftp://ftp.hp.com/pub/softlib/software12/COL38684/co-133135-1/v7.0.2e.zip ftp://ftp.hp.com/pub/softlib/software13/COL22074/co-155018-1/v6.4.3h.zip ftp://ftp.hp.c...
2 comments
Read more