# luks_pkcs

### Acknowledgment
It has been tested on a debian laptop and a mobian pinephone.
The smartcard generation come from inspired by https://github.com/swoopla/smartcard-luks .
The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/DebianOnMobile-team/osk-sdl.

### The general steps:
* Erase and initialize card
* Create public/private key pair on smartcard
* Create key file and add it to a LUKS key slot
* Encrypt key file using public key from smartcard
* Modify initramfs to use smartcard to decrypt the encrypted keyfile
* Modify decrypt_opensc script to swicth between smartcard and luks password and add osk-sdl support for touchscreen device

### The details:
1. Install smartcard middleware

    ```sudo apt-get install pcscd opensc```

2. Erase smartcard

    ```pkcs15-init -E```
    
3. Initialize smartcard

    ```pkcs15-init --create-pkcs15 -p pkcs15+onepin --pin 1234 --puk 4321```
    
4. Create public/private key pair on smartcard

    ```pkcs15-init -G rsa/2048 -i 01 -a 01 -u decrypt --pin 1234```
    
5. Create a random key file and add it to a LUKS key slot

    ```sudo touch /root/rootkey```
    
    ```sudo chmod 600 /root/rootkey```

    ```sudo dd if=/dev/random of=/root/rootkey bs=1 count=245 #change to urandom if you can't wait```
    
    ```sudo cryptsetup luksAddKey /dev/sda2 /root/rootkey```
    
6. Export the public key from smartcard

    ```pkcs15-tool --read-public-key 01 -o public_key_rsa2048.pem```

7. Encrypt key file using public key

    ```sudo openssl rsautl -encrypt -pubin -inkey public_key_rsa2048.pem  -in /root/rootkey -out /root/rootkey.enc```
    
    ```sudo rm /root/rootkey```

8. Edit crypttab. This change sends the encrypted key file as a param to the keyscript

    This should be of the form: 
    
    ```mapped_device_name source_block_device key_file luks,keyscript=decrypt_pkcs```
    
    For example:
    
    ```sda2_crypt UUID=d332ecc5-ce8b-4900-a04a-a79abd029d6d /root/rootkey.enc luks,keyscript=decrypt_pkcs```

9. Install the cryptsetup script and the initramfs-tool hook

    ```sudo cp decrypt_pkcs /lib/cryptsetup/script/ ```

    ```sudo cp decrypt_pkcs_hook /etc/initramfs-tools/hooks && chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs_hook ```
    
    ```sudo update-initramfs -u```

10. Test smartcard (without USB Key)

11. Test LUKS Password (without Smartcard)