53 lines
1.4 KiB
Bash
Executable File
53 lines
1.4 KiB
Bash
Executable File
#!/bin/bash -p
|
|
|
|
set -euo pipefail
|
|
|
|
if [ "$EUID" -ne 0 ]
|
|
then echo "Please run as root"
|
|
exit
|
|
fi
|
|
|
|
# sanitize environment
|
|
YKFDE_SLOT=2
|
|
YKFDE_SALT_LENGTH=16
|
|
YKFDE_SALT=""
|
|
YKFDE_CHALLENGE=""
|
|
YKFDE_RESPONSE=""
|
|
YKFDE_SLOT_CHECK=""
|
|
YKFDE_KEY_LENGTH=512
|
|
YKFDE_ITERATIONS=1000000
|
|
YKFDE_STORAGE=/boot/crypt-storage/default
|
|
|
|
|
|
YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_SLOT")"
|
|
printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_SLOT': $YKFDE_SLOT_CHECK"
|
|
|
|
if [ "$(ykinfo -q -"$YKFDE_SLOT")" != 1 ]; then
|
|
printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_SLOT' isn't configured. Please insert a YubiKey with the slot configured for 'HMAC-SHA1 Challenge-Response'."
|
|
fi
|
|
|
|
while [ "$(ykinfo -q -$YKFDE_SLOT)" != 1 ]
|
|
do
|
|
sleep 1
|
|
done
|
|
|
|
rbtohex() {
|
|
( od -An -vtx1 | tr -d ' \n' )
|
|
}
|
|
|
|
YKFDE_SALT="$(dd if=/dev/random bs=1 count=$YKFDE_SALT_LENGTH 2>/dev/null | rbtohex)"
|
|
if [ -f "$YKFDE_STORAGE" ]; then
|
|
YKFDE_SALT="$(head -1 $YKFDE_STORAGE)"
|
|
echo "Using current Salt: $YKFDE_SALT"
|
|
fi
|
|
YKFDE_CHALLENGE="$(echo -n $YKFDE_SALT | openssl dgst -binary -sha512 | rbtohex)"
|
|
YKFDE_RESPONSE="$(ykchalresp -2 -x $YKFDE_CHALLENGE 2>/dev/null)"
|
|
YKFDE_K_LUKS="$(echo | pbkdf2-sha512 $(($YKFDE_KEY_LENGTH / 8)) $YKFDE_ITERATIONS $YKFDE_RESPONSE | rbtohex)"
|
|
mkdir -p "$(dirname $YKFDE_STORAGE)"
|
|
echo -ne "$YKFDE_SALT\n$YKFDE_ITERATIONS" > $YKFDE_STORAGE
|
|
echo $YKFDE_K_LUKS > luks.key
|
|
cryptsetup luksAddKey /dev/nvme0n1p2 luks.key
|
|
rm luks.key
|
|
|
|
exit 0
|