yubikey-full-disk-encryption-secure-boot-uefi icon indicating copy to clipboard operation
yubikey-full-disk-encryption-secure-boot-uefi copied to clipboard

Published 20 hours ago verified publisher icon sandrokeil

Add Debian guide

Open sandrokeil opened this issue 7 years ago • 3 comments

Write the Arch Linux guide for Debian. Not sure if it would be identical with the Ubuntu guide #1

sandrokeil avatar Jul 30 '18 21:07 sandrokeil

The content seems complex but first of all I would shortly explain what I am actually studing-using. I have a Debian 11 64bit installed and updated, manually partitioned with Grub in /boot clear-text and / system root encrypted with LUKS and unlocked after boot with physical USB Token (modified crypttab and some patches, that compare encrypted public key in /root with private key in token accessed by pin and I could post txt steps) I did not created swap partition (because of double passphrase to unlock and 8Gb ram memory and 250 Gb NVMe and seems enough for home machine with virtual server guest too). Motherboard is Asus A320M-K that has secure boot options (other systems that actually I am not using because of need to understand). So what I am asking (easier I can maybe reinstall from the beginning, maybe using debian installer 'standard new users LVM encrypted auto formatting', also if it does not allow to 'adjust' swap partition space and it is not exactly what I would like to obtain) is following. Epass2003 USB Token, is it possible encrypt partitions like using yubikey? Is it possible to have full encrypted disk (may be with LVM swap partition or not) through secure boot stored passphrase unlocked at boot directly through physical usb token (yubikey or other token)? This case avoiding digit password twice I thank u in advance for yours answers Best Regards Gianni Cerato

janet75 avatar Dec 04 '21 21:12 janet75

Please have a look at this chapter. Your boot partition can not be unlocked through a USB token e.g. YubiKey.

I have to provide two passwords for my setup. One password unlocks the boot partition and the second password is for the YubiKey to unlock the encrypted home partition.

sandrokeil avatar Dec 15 '21 13:12 sandrokeil

Hello Sandro, I reply to the (mailing) list around the world to thank u for the answer. Effectively this procedure makes the system almost 100% secured. Perhaps the only way to broke is to completely delete hard drives (of course physically accessing those) or of course rob token with password(s) previously recorded / filmed So I have not tried yet using my token (to encrypt partitions like with YubiKey) and I would like to know if it is possible. Do not know if Debian installation media allow to manually prepare LVM and /boot encrypted partitions  to install system in, like so, nor using existing prepared disk(s) How wrote, I attach my step by step procedure to studying if u have questions and of course seeking sponsor(s) for new projects  Regards Gianni Cerato      Il giorno mer, 15/12/2021 alle 05.25 -0800, Sandro Keil ha scritto:

Please have a look at this chapter. Your boot partition can not be unlocked through a USB token e.g. YubiKey. I have to provide two passwords for my setup. One password unlocks the boot partition and the second password is for the YubiKey to unlock the encrypted home partition. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

Token simple

erase pkcs15-init -E

initialize pkcs15-init --create-pkcs15 -p pkcs15+onepin --pin ****** --puk *******

crea chiavi pkcs15-init -G rsa/2048 -i 01 -a 01 -u decrypt --pin ******

system

Create a random key file and add it to a LUKS key slot

sudo touch /root/rootkey

sudo chmod 600 /root/rootkey

sudo dd if=/dev/random of=/root/rootkey bs=1 count=245 #change to urandom if you can't wait

sudo cryptsetup luksAddKey /dev/nvme0n1p3 /root/rootkey

Export the public key from smartcard

pkcs15-tool --read-public-key 01 -o public_key_rsa2048.pem

Encrypt key file using public key

sudo openssl rsautl -encrypt -pubin -inkey public_key_rsa2048.pem -in /root/rootkey -out /root/rootkey.enc

sudo rm /root/rootkey

Edit crypttab. This change sends the encrypted key file as a param to the keyscript

(backup) sudo cp /etc/crypttab /etc/crypttab.bck

sudo nano /etc/crypttab

This should be of the form:

mapped_device_name source_block_device key_file luks,keyscript=decrypt_opensc

example sda5_crypt UUID=copy_from_original_crypttab /root/rootkey.enc luks,keyscript=decrypt_opensc

Apply patch to cryptopensc hook and regenerate initramfs (file to copy u can contact me)

create reader.conf o rename in .d on patch sudo touch /etc/reader.conf sudo chmod 655 /etc/reader.conf

(backup cryptopensc) sudo cp /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/orignsc.bck

sudo patch /usr/share/initramfs-tools/hooks/cryptopensc < cryptopensc.patch if error 53 sudo cp /usr/sbin/pcscd /sbin/pcscd

(backup local-bottom/cryptopensc) sudo cp /usr/share/initramfs-tools/scripts/local-bottom/cryptopensc /usr/share/initramfs-tools/scripts/local-bottom/orignsc.bck

sudo patch /usr/share/initramfs-tools/scripts/local-bottom/cryptopensc < local-bottom-cryptopensc.patch

sudo update-initramfs -u

manage LUKS removing old existing keys (carefully because u have just the token to access system partition)

janet75 avatar Dec 22 '21 13:12 janet75