forked from cornelinux/yubikey-luks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
yubikey-luks-enroll
executable file
·57 lines (52 loc) · 1.43 KB
/
yubikey-luks-enroll
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/bin/sh
SLOT=7
DISK="/dev/sda3"
CLEAR_SLOT=0
TMP_FILE=/tmp/new_key
set -e
while getopts ":s:d:hc" opt; do
case $opt in
s)
SLOT=$OPTARG
echo "setting slot to $OPTARG."
;;
d)
DISK=$OPTARG
echo "setting disk to $OPTARG."
;;
c) CLEAR_SLOT=1
echo "clearing slot"
;;
h)
echo
echo " -d <partition>: set the partition"
echo " -s <slot> : set the slot"
echo " -c : clear the slot prior to writing"
echo
exit 1
;;
\?)
echo "Invalid option: -$OPTARG" >&2
;;
esac
done
echo "This script will utilize slot $SLOT on drive $DISK. If this is not what you intended, exit now!"
if [ $CLEAR_SLOT -eq 1 ]; then
echo "Killing LUKS slot $SLOT"
cryptsetup luksKillSlot $DISK $SLOT
fi
echo "Adding yubikey to initrd"
P1=$(/lib/cryptsetup/askpass "Please insert a yubikey and enter a new password. This is the password that will only work while your yubikey is installed in your computer.")
P2=$(/lib/cryptsetup/askpass "Please enter the yubikey password again:")
if [ "$P1" != "$P2" ]; then
echo "Passwords do not match"
exit 1
fi
echo "You may now be prompted for an existing passphrase. This is NOT the passphrase you just entered, this is the passphrase that you currently use to unlock your LUKS encrypted drive."
R="$(ykchalresp -2 "$P1" 2>/dev/null || true)"
touch $TMP_FILE
chmod 600 $TMP_FILE
echo -n "$R" > $TMP_FILE
cryptsetup --key-slot=$SLOT luksAddKey $DISK $TMP_FILE
rm $TMP_FILE
exit 0