diff --git a/README.md b/README.md index bbb8176..251e3c2 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,13 @@ # initrd_luks_pkcs -### Acknowledgment +## Acknowledgment It has been tested on a debian laptop and a mobian pinephone. The smartcard generation come from inspired by https://github.com/swoopla/smartcard-luks . The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/DebianOnMobile-team/osk-sdl. -### The general steps: +## Single key setup + +### General steps: * Erase and initialize card * Create public/private key pair on smartcard * Create key file and add it to a LUKS key slot @@ -13,7 +15,7 @@ The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/Debian * Modify initramfs to use smartcard to decrypt the encrypted keyfile * Modify decrypt_opensc script to swicth between smartcard and luks password and add osk-sdl support for touchscreen device -### The details: +### details: 1. Install smartcard middleware ```sudo apt-get install pcscd opensc``` @@ -62,14 +64,34 @@ The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/Debian 9. Install the cryptsetup script and the initramfs-tool hook - ```sudo cp decrypt_pkcs /lib/cryptsetup/script/ ``` + ```sudo cp lib/cryptsetup/scripts/decrypt_pkcs /lib/cryptsetup/script/ ``` - ```sudo cp decrypt_pkcs_hook /etc/initramfs-tools/hooks && chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs_hook ``` + ```sudo cp etc/initramfs-tools/hooks/decrypt_pkcs /etc/initramfs-tools/hooks && sudo chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs ``` - ```sudo cp decrypt_pkcs_default /etc/default/decrypt_pkcs ``` + ```sudo cp etc/default/decrypt_pkcs /etc/default/ ``` ```sudo update-initramfs -u``` 10. Test smartcard (without USB Key) 11. Test LUKS Password (without Smartcard) + +## Multi keys setup + +The setup is quite the same except that you need to put all the key files in the expected format. +With the provided exemple config and script all keys must be stored in the `/etc/keys` folder with the following filename : `internal-${ENCODED_SERIAL}.enc` with `${ENCODED_SERIAL} the result of the following commands : + +``` +pkcs15-tool -c 2>/dev/null | awk '{ if ($1$2=="Encodedserial") {print $NF}}' +``` + +You need to modify the `/etc/default/decrypt_pkcs` and set `DECIPHER_MULTI` to `1` + +and copy the script in charge of selecting the right key file form initramfs : + + ```sudo mkdir -p /usr/share/decrypt_pkcs && sudo cp usr/share/decrypt_pkcs/pkcs15_get-key.sh /usr/share/decrypt_pkcs/ && sudo chmod +x /usr/share/decrypt_pkcs/pkcs15_get-key.sh ``` + +Every time a new key is added, the initrd mus be regenerated : + + ```sudo update-initramfs -u``` + diff --git a/decrypt_pkcs_default b/decrypt_pkcs_default deleted file mode 100644 index 1ed6559..0000000 --- a/decrypt_pkcs_default +++ /dev/null @@ -1,27 +0,0 @@ -# Decrypt_PKCS initramfs configuration - -# Smartcard presence test -SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool -SMARTCARD_PRESENCE_ARGS='-n' - -# PKCS decipher command default to pkcs15-crypt -#DECIPHER_COMMAND=/usr/bin/pkcs15-crypt -DECIPHER_COMMAND=/usr/bin/pkcs15-crypt - -# PKCS decipher extra library (usefull with pkcs11 or custom command) -# The initramfs hook will search in the multiarch default library path -# eg where the libc is stored and its subfolders. -# Wildcard is allowed by using the find command -DECIPHER_EXTRA_LIBS= - -# Define command parameters -# DECIPHER_ARGS is followed by the data to decipher -# DECIPHER_EXTRA_ARGS allow customization -# DECIPHER_ASKPIN is followed by the PIN input from user -# Default value for pkcs15-crypt -#DECIPHER_ARGS='--decipher --pkcs1 --raw --input' -#DECIPHER_EXTRA_ARGS= -#DECIPHER_ASK_PIN='--pin' -DECIPHER_ARGS='--decipher --pkcs1 --raw --input' -DECIPHER_EXTRA_ARGS= -DECIPHER_ASK_PIN='--pin' diff --git a/etc/default/decrypt_pkcs b/etc/default/decrypt_pkcs new file mode 100644 index 0000000..fb9073b --- /dev/null +++ b/etc/default/decrypt_pkcs @@ -0,0 +1,46 @@ +# Decrypt_PKCS initramfs configuration + +# Smartcard presence test +#SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool +#SMARTCARD_PRESENCE_ARGS='-n' +SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool +SMARTCARD_PRESENCE_ARGS='-n' + +# PKCS decipher command default to pkcs15-crypt +#DECIPHER_COMMAND=/usr/bin/pkcs15-crypt +DECIPHER_COMMAND= + +# PKCS decipher extra library (usefull with pkcs11 or custom command) +# The initramfs hook will search in the multiarch default library path +# eg where the libc is stored and its subfolders. +# Wildcard is allowed by using the find command +DECIPHER_EXTRA_LIBS= + +# Define command parameters +# DECIPHER_ARGS is followed by the data to decipher +# DECIPHER_EXTRA_ARGS allow customization +# DECIPHER_ASKPIN is followed by the PIN input from user +# Default value for pkcs15-crypt +#DECIPHER_ARGS='--decipher --pkcs1 --raw --input' +#DECIPHER_ASK_PIN='--pin' +DECIPHER_ARGS= +DECIPHER_ASK_PIN= + +# Support multiple key files +# Default behaviour use the key file provided by crypttab +#DECIPHER_MULTI=0 +#DECIPHER_MULTI_FOLDER= +#DECIPHER_MULTI_PATTERN= +#DECIPHER_MULTI_SCRIPT= +#DECIPHER_MULTI_SCRIPT_DEPENDS= +DECIPHER_MULTI=0 +# The keys are in /etc/keys/internal-"$EncodedSerial".enc +# The key file extension .enc is hardcoded +DECIPHER_MULTI_FOLDER="/etc/keys" +DECIPHER_MULTI_PATTERN="internal-" +# This script should return the approriate encrypted file for the current token +# It can export the $DECIPHER_EXTRA_ARGS to pass arguments to the decipher command +# such as slot specification, id filter ... +DECIPHER_MULTI_SCRIPT="/usr/share/decrypt_pkcs/pkcs15_get-key.sh" +# Script dependancies included in the initramfs +DECIPHER_MULTI_SCRIPT_DEPENDS="/usr/bin/pkcs15-tool" diff --git a/decrypt_pkcs_hook b/etc/initramfs-tools/hooks/decrypt_pkcs similarity index 78% rename from decrypt_pkcs_hook rename to etc/initramfs-tools/hooks/decrypt_pkcs index 3d61613..6c62844 100755 --- a/decrypt_pkcs_hook +++ b/etc/initramfs-tools/hooks/decrypt_pkcs @@ -30,6 +30,8 @@ fi DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt} SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool} +DECIPHER_MULTI=${DECIPHER_MULTI:-0} + # Hooks for loading smartcard reading software into the initramfs copy_keys() { crypttab_parse_options @@ -46,9 +48,11 @@ copy_keys() { RV=0 #copy default key crypttab_foreach_entry copy_keys -#copy all users keys -#mkdir -p "$DESTDIR/etc/keys" -#cp /etc/keys/pass*.enc "$DESTDIR/etc/keys/" +if [ $DECIPHER_MULTI = 1 ] ; then + #copy all keys + mkdir -p "$DESTDIR/${DECIPHER_MULTI_FOLDER}" + cp -t "$DESTDIR/${DECIPHER_MULTI_FOLDER}" "${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}"* +fi # Install directories needed by smartcard reading daemon, command, and # key-script @@ -72,4 +76,15 @@ copy_exec $DECIPHER_COMMAND cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf cp -t "$DESTDIR/etc/default" /etc/default/decrypt_pkcs +# If Multi +if [ $DECIPHER_MULTI = 1 ] ; then + mkdir -p $DESTDIR/$(dirname "${DECIPHER_MULTI_SCRIPT}") + cp -t $DESTDIR/$(dirname "${DECIPHER_MULTI_SCRIPT}") "${DECIPHER_MULTI_SCRIPT}" + chmod +x $DESTDIR/"${DECIPHER_MULTI_SCRIPT}" + for bin in $DECIPHER_MULTI_SCRIPT_DEPENDS ; do + copy_exec $bin + done +fi + + exit $RV diff --git a/decrypt_pkcs b/lib/cryptsetup/scripts/decrypt_pkcs similarity index 85% rename from decrypt_pkcs rename to lib/cryptsetup/scripts/decrypt_pkcs index ab46e7c..f934722 100755 --- a/decrypt_pkcs +++ b/lib/cryptsetup/scripts/decrypt_pkcs @@ -16,6 +16,7 @@ SMARTCARD_PRESENCE_ARGS=${SMARTCARD_PRESENCE_ARGS:-'-n'} DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt} DECIPHER_ARGS=${DECIPHER_ARGS:-'--decipher --pkcs1 --raw --input'} DECIPHER_ASK_PIN=${DECIPHER_ASK_PIN:-'--pin'} +DECIPHER_MULTI=${DECIPHER_MULTI:-0} check_plymouth() { plymouth=0 @@ -40,6 +41,16 @@ check_card() { fi } +check_key() { + if [ $DECIPHER_MULTI = 1 ] ; then + temp=$($DECIPHER_MULTI_SCRIPT) + KEY=$(echo $temp | awk '{print $1}') + DECIPHER_EXTRA_ARGS=$(echo $temp | awk '{$1=""; print}') + else + KEY=$1 + fi +} + log_message() { if [ $plymouth = 1 ] ; then plymouth display-message --text="$@" 2>/dev/null @@ -105,27 +116,28 @@ if [ -b "/dev/mapper/${CRYPTTAB_NAME}" ] ; then fi wait_card +check_key if [ $plymouth = 1 ] ; then if [ $osk_sdl = 1 ] ; then # Get pin number from osk_sdl plymouth hide-splash 2>/dev/null - ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \ + ${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \ $DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)" plymouth show-splash 2>/dev/null else # Get pin number from plymouth - ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \ - $DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")" + ${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \ + $DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME ($KEY): ")" fi else if [ $osk_sdl = 1 ] ; then # Get pin number from osk_sdl - ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \ + ${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \ $DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)" else # Get pin number from console - ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS /dev/console + ${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS /dev/console fi fi diff --git a/usr/share/decrypt_pkcs/pkcs15_get-key.sh b/usr/share/decrypt_pkcs/pkcs15_get-key.sh new file mode 100755 index 0000000..4810339 --- /dev/null +++ b/usr/share/decrypt_pkcs/pkcs15_get-key.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +. /etc/default/decrypt_pkcs + + +pkcs15-tool -c 2>/dev/null \ + | awk '{ if ($1=="ID") + {nline++ ; printf $NF" "} + else if ($1=="Encoded" && $2=="serial") + {print $NF}}' \ + | while read id serial ; do + if [ -f "${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}${serial}.enc" ] ; then + export key="${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}${serial}.enc" + export arg="-k ${id}" + echo ${key} ${arg} + exit 0 + fi + done +exit 1 +