You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Alex 0dd99ce5d6 [fix] Message on passphrase fallback with osk-sdl 1 year ago
etc [feat] Add multi keys support 2 years ago
lib/cryptsetup/scripts [fix] Message on passphrase fallback with osk-sdl 1 year ago
usr/share/decrypt_pkcs [feat] Add multi keys support 2 years ago
LICENSE Initial release 2 years ago Update '' 2 years ago



It has been tested on a debian laptop and a mobian pinephone. The smartcard generation come from inspired by . The OSK-SDL parts are inspired by Mobian package

Single key setup

General steps:

  • Erase and initialize card
  • Create public/private key pair on smartcard
  • Create key file and add it to a LUKS key slot
  • Encrypt key file using public key from smartcard
  • Modify initramfs to use smartcard to decrypt the encrypted keyfile
  • Modify decrypt_opensc script to swicth between smartcard and luks password and add osk-sdl support for touchscreen device


  1. Install smartcard middleware

    sudo apt-get install pcscd opensc

  2. Erase smartcard

    pkcs15-init -E

  3. Initialize smartcard

    pkcs15-init --create-pkcs15 -p pkcs15+onepin --pin 1234 --puk 4321

  4. Create public/private key pair on smartcard

    pkcs15-init -G rsa/2048 -i 01 -a 01 -u decrypt --pin 1234

  5. Create a random key file and add it to a LUKS key slot

    sudo touch /root/rootkey

    sudo chmod 600 /root/rootkey

    sudo dd if=/dev/random of=/root/rootkey bs=1 count=245 #change to urandom if you can't wait

    sudo cryptsetup luksAddKey /dev/sda2 /root/rootkey

  6. Export the public key from smartcard

    pkcs15-tool --read-public-key 01 -o public_key_rsa2048.pem

  7. Encrypt key file using public key

    sudo openssl rsautl -encrypt -pubin -inkey public_key_rsa2048.pem -in /root/rootkey -out /root/rootkey.enc

    sudo rm /root/rootkey

  8. Edit crypttab. This change sends the encrypted key file as a param to the keyscript

    This should be of the form:

    mapped_device_name source_block_device key_file luks,keyscript=decrypt_pkcs

    For example:

    sda2_crypt UUID=d332ecc5-ce8b-4900-a04a-a79abd029d6d /root/rootkey.enc luks,keyscript=decrypt_pkcs

  9. Install the cryptsetup script and the initramfs-tool hook

    sudo cp lib/cryptsetup/scripts/decrypt_pkcs /lib/cryptsetup/scripts/

    sudo cp etc/initramfs-tools/hooks/decrypt_pkcs /etc/initramfs-tools/hooks && sudo chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs

    sudo cp etc/default/decrypt_pkcs /etc/default/

    On the Pinephone ensure the anx7688 is loaded in initram :

    echo "anx7688" | sudo tee -a /etc/initramfs-tools/modules

    sudo update-initramfs -u

  10. Test smartcard

  11. Test LUKS Password (without Smartcard)

Multi keys setup

The setup is quite the same except that you need to put all the key files in the expected format. With the provided exemple config and script all keys must be stored in the /etc/keys folder with the following filename : internal-${ENCODED_SERIAL}.enc with `${ENCODED_SERIAL} the result of the following commands :

pkcs15-tool -c 2>/dev/null  | awk '{ if ($1$2=="Encodedserial") {print $NF}}'

You need to modify the /etc/default/decrypt_pkcs and set DECIPHER_MULTI to 1

and copy the script in charge of selecting the right key file form initramfs :

sudo mkdir -p /usr/share/decrypt_pkcs && sudo cp usr/share/decrypt_pkcs/ /usr/share/decrypt_pkcs/ && sudo chmod +x /usr/share/decrypt_pkcs/ 

Every time a new key is added, the initrd mus be regenerated :

sudo update-initramfs -u