A non-intrusive way of storing LUKS keys on PKCS #15 smart cards
If you ever wanted to store your LUKS key on a smart card and started to search the internet for solutions, you'd be disappointed. The best guide I managed to find is https://wiki.ubuntu.com/SmartCardLUKSDiskEncryption which wants you to change your transport AUT1 key and uses a whole bunch of various scripts. It's written for usplash as well which isn't really used anymore.
I was amazed of the state of things and after a bit of tinkering I got everything running as a standard PKCS#15 data object and with only two scripts needed. Oh, and it has support for the awesome plymouthd.
- An initialized (PINs etc.) PKCS#15 capable smart card
- A reader supported by OpenSC
- opensc, pcscd
This is written and tested on Debian 7.0 wheezy but should easily work with most other distros. Written from memory, leave me a comment if I forgot to mention something.
Create the key (use a true random source if you're paranoid):
Edit your /etc/crypttab from: to:
Add the key to your LUKS device:
This is /etc/initramfs-tools/hooks/pkcs15: And this /usr/local/sbin/luks-pkcs15.sh: Don't forget to make these files executable.Update (having a backup of it is a good idea) your initramfs and reboot:
Worth noting is that I'm using an Aventra MyEID 80k which I needed to patch the myeid.profile in order to create privdata with pkcs15-tool.