43 lines
1.3 KiB
Bash
Executable File
43 lines
1.3 KiB
Bash
Executable File
#!/bin/bash -p
|
|
|
|
set -euo pipefail
|
|
|
|
echo "start in"
|
|
echo "nix-shell https://github.com/sgillespie/nixos-yubikey-luks/archive/master.tar.gz"
|
|
|
|
# sanitize environment
|
|
YKFDE_SLOT=2
|
|
YKFDE_SALT_LENGTH=16
|
|
YKFDE_SALT=""
|
|
YKFDE_CHALLENGE=""
|
|
YKFDE_RESPONSE=""
|
|
YKFDE_SLOT_CHECK=""
|
|
YKFDE_KEY_LENGTH=512
|
|
YKFDE_ITERATIONS=1000000
|
|
YKFDE_STORAGE=/boot/crypt-storage/default
|
|
|
|
|
|
YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_SLOT")"
|
|
printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_SLOT': $YKFDE_SLOT_CHECK"
|
|
|
|
if [ "$YKFDE_SLOT_CHECK" != 1 ]; then
|
|
printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'"
|
|
exit 1
|
|
fi
|
|
|
|
YKFDE_SALT="$(dd if=/dev/random bs=1 count=$YKFDE_SALT_LENGTH 2>/dev/null | rbtohex)"
|
|
if [ -f "$YKFDE_STORAGE" ]; then
|
|
YKFDE_SALT="$(head -1 $YKFDE_STORAGE)"
|
|
echo "$FILE exists."
|
|
fi
|
|
YKFDE_CHALLENGE="$(echo -n $YKFDE_SALT | openssl dgst -binary -sha512 | rbtohex)"
|
|
YKFDE_RESPONSE="$(ykchalresp -2 -x $YKFDE_CHALLENGE 2>/dev/null)"
|
|
YKFDE_K_LUKS="$(echo | pbkdf2-sha512 $(($YKFDE_KEY_LENGTH / 8)) $YKFDE_ITERATIONS $YKFDE_RESPONSE | rbtohex)"
|
|
mkdir -p "$(dirname $YKFDE_STORAGE)"
|
|
echo -ne "$YKFDE_SALT\n$YKFDE_ITERATIONS" > $YKFDE_STORAGE
|
|
echo $YKFDE_K_LUKS > luks.key
|
|
cryptsetup luksAddKey /dev/nvme0n1p2 luks.key
|
|
rm luks.key
|
|
|
|
exit 0
|