1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-27 03:21:32 +03:00
systemd-stable/man/yubikey-crypttab.sh

27 lines
1.1 KiB
Bash
Raw Normal View History

# Destroy any old key on the Yubikey (careful!)
ykman piv reset
2020-12-07 19:18:52 +03:00
# Generate a new private/public key pair on the device, store the public key in
# 'pubkey.pem'.
ykman piv generate-key -a RSA2048 9d pubkey.pem
# Create a self-signed certificate from this public key, and store it on the
2020-12-07 19:18:52 +03:00
# device. The "subject" should be an arbitrary user-chosen string to identify
# the token with.
ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
2020-12-07 19:18:52 +03:00
# We don't need the public key anymore, let's remove it. Since it is not
# security sensitive we just do a regular "rm" here.
rm pubkey.pem
2020-12-07 19:18:52 +03:00
# Enroll the freshly initialized security token in the LUKS2 volume. Replace
# /dev/sdXn by the partition to use (e.g. /dev/sda1).
sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn
# Test: Let's run systemd-cryptsetup to test if this all worked.
sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto
2020-12-07 19:18:52 +03:00
# If that worked, let's now add the same line persistently to /etc/crypttab,
# for the future.
sudo bash -c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >> /etc/crypttab'