A non-intrusive way of storing LUKS keys on PKCS #15 smart cards

If you ever wanted to store your LUKS key on a smart card and started to search the internet for solutions, you'd be disappointed. The best guide I managed to find is https://wiki.ubuntu.com/SmartCardLUKSDiskEncryption which wants you to change your transport AUT1 key and uses a whole bunch of various scripts. It's written for usplash as well which isn't really used anymore.

I was amazed of the state of things and after a bit of tinkering I got everything running as a standard PKCS#15 data object and with only two scripts needed. Oh, and it has support for the awesome plymouthd.

You'll need:

  • An initialized (PINs etc.) PKCS#15 capable smart card
  • A reader supported by OpenSC
  • opensc, pcscd

This is written and tested on Debian 7.0 wheezy but should easily work with most other distros. Written from memory, leave me a comment if I forgot to mention something.

Create the key (use a true random source if you're paranoid):

Edit your /etc/crypttab from: to:

Add the key to your LUKS device:

This is /etc/initramfs-tools/hooks/pkcs15: And this /usr/local/sbin/luks-pkcs15.sh: Don't forget to make these files executable.

Update (having a backup of it is a good idea) your initramfs and reboot:


Worth noting is that I'm using an Aventra MyEID 80k which I needed to patch the myeid.profile in order to create privdata with pkcs15-tool.


Popular posts from this blog

Open Datacenter Hardware - What is OCP?

Open Datacenter Hardware - Leopard Server