Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debian/Ubuntu support #88

Draft
wants to merge 18 commits into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 0 additions & 17 deletions Makefile

This file was deleted.

38 changes: 30 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ This project leverages a [YubiKey](https://wiki.archlinux.org/index.php/Yubikey)
Be aware that this was only tested and intended for:

* [Arch Linux](https://www.archlinux.org/) and its derivatives
* [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems
* [YubiKey (version 4 or later)](https://www.yubico.com/products/yubikey-5-overview/)

There is similar project targeting [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems: [yubikey-luks](https://github.com/cornelinux/yubikey-luks)

Table of Contents
=================
Expand Down Expand Up @@ -80,31 +80,42 @@ Keep in mind that the above doesn't protect you from physical tampering like *ev

# Install

## From Arch Linux official repository
## Arch Linux
### From Arch Linux official repository

The easiest way is to install package from [official Arch Linux repository](https://www.archlinux.org/packages/community/any/yubikey-full-disk-encryption/).

```
sudo pacman -Syu yubikey-full-disk-encryption
```

## From Github using 'makepkg'
### From Github using 'makepkg'

```
wget https://raw.githubusercontent.com/agherzan/yubikey-full-disk-encryption/master/PKGBUILD
wget https://raw.githubusercontent.com/agherzan/yubikey-full-disk-encryption/master/packaging/archlinux/PKGBUILD
makepkg -srci
```

## From Github using 'make'
### From Github using 'make'

```
git clone https://github.com/agherzan/yubikey-full-disk-encryption.git
cd yubikey-full-disk-encryption
cd yubikey-full-disk-encryption/packaging/archlinux
sudo make install
```

When installing by using `make` you also need to install [yubikey-personalization](https://www.archlinux.org/packages/community/x86_64/yubikey-personalization/) and [expect](https://www.archlinux.org/packages/extra/x86_64/expect/) packages.

## Debian/Ubuntu
### From Github using 'make'
```
git clone https://github.com/agherzan/yubikey-full-disk-encryption.git
cd yubikey-full-disk-encryption/packaging/debian
make builddeb NO_SIGN=1
sudo dpkg -i DEBUILD/ykfde_*_all.deb
```


# Configure


Expand Down Expand Up @@ -212,18 +223,29 @@ To kill a ykfde passphrase for existing *LUKS* encrypted volume you can use [ykf
ykfde-enroll -d /dev/<device> -s <keyslot_number> -k
```

## Enable ykfde initramfs hook
## Enable ykfde initramfs hook (Arch Linux)

**Warning: It's recommended to have already working [encrypted system setup](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system) with `encrypt` hook and non-ykfde passphrase before starting to use `ykfde` hook with ykfde passphrase to avoid potential misconfigurations.**

Edit `/etc/mkinitcpio.conf` and add the `ykfde` hook before or instead of `encrypt` hook as provided in [example](https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Examples). Adding `ykfde` hook before `encrypt` hook will allow for a safe fallback in case of ykfde misconfiguration. You can remove `encrypt` hook later when you confim that everything is working correctly. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation):
For Arch Linux and its derivatives, edit `/etc/mkinitcpio.conf` and add the `ykfde` hook before or instead of `encrypt` hook as provided in [example](https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Examples). Adding `ykfde` hook before `encrypt` hook will allow for a safe fallback in case of ykfde misconfiguration. You can remove `encrypt` hook later when you confim that everything is working correctly. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation):

```
sudo mkinitcpio -P
```

Reboot and test your configuration.

## Update crypttab (Debian/Ubuntu)
To unlock LUKS encrypted volumes at boot for Debian/Ubuntu systems, you must append `keyscript=/usr/share/ykfde/ykfde-keyscript` to the `/etc/crypttab` file. For example:
```
cryptroot /dev/sda none luks,keyscript=/usr/share/ykfde/ykfde-keyscript
```
After changing this file, update the initial RAM file system:
```
sudo update-initramfs -u
```


## Enable NFC support in ykfde initramfs hook (experimental)

**Warning: Currently NFC support is implemented only in initramfs hook. All ykfde manipulations on booted system have to be done through USB.**
Expand Down
17 changes: 17 additions & 0 deletions packaging/archlinux/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
install: reinstall
install -v -b -Dm644 ../../src/ykfde.conf "$(DESTDIR)/etc/ykfde.conf"

reinstall:
install -Dm644 ../../src/archlinux/hooks/ykfde "$(DESTDIR)/usr/lib/initcpio/hooks/ykfde"
install -Dm644 ../../src/archlinux/install/ykfde "$(DESTDIR)/usr/lib/initcpio/install/ykfde"
install -Dm755 ../../src/archlinux/ykfde-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/ykfde-suspend"
install -Dm755 ../../src/archlinux/initramfs-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/initramfs-suspend"
install -Dm644 ../../src/archlinux/ykfde-suspend.service "$(DESTDIR)/usr/lib/systemd/system/ykfde-suspend.service"
install -Dm755 ../../src/ykfde-enroll "$(DESTDIR)/usr/bin/ykfde-enroll"
install -Dm755 ../../src/ykfde-format "$(DESTDIR)/usr/bin/ykfde-format"
install -Dm755 ../../src/ykfde-open "$(DESTDIR)/usr/bin/ykfde-open"
install -Dm644 ../../README.md "$(DESTDIR)/usr/share/doc/ykfde/README.md"
test:
../../src/testrun.sh

all: install
2 changes: 1 addition & 1 deletion PKGBUILD → packaging/archlinux/PKGBUILD
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
pkgname=yubikey-full-disk-encryption-git
_pkgname=yubikey-full-disk-encryption
pkgver=r136.4d8ba6a
pkgver=r155.dcaac00
pkgrel=1
pkgdesc='Use YubiKey to unlock a LUKS partition'
arch=('any')
Expand Down
26 changes: 26 additions & 0 deletions packaging/debian/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
info:
@echo "builddeb [NO_SIGN=1] - build deb package for Ubuntu LTS [NO_SIGN disables signing]"
@echo "clean - clean build directory DEBUILD"

VERSION=0.1
SRC_DIR = ykfde-${VERSION}

debianize:
rm -fr DEBUILD
mkdir -p DEBUILD/${SRC_DIR}
cp -r * DEBUILD/${SRC_DIR} || true
cp -r ../../src/ykfde* DEBUILD/${SRC_DIR} || true
cp -r ../../src/debian/* DEBUILD/${SRC_DIR} || true
cp ../../README.md DEBUILD/${SRC_DIR} || true
(cd DEBUILD; tar -zcf ykfde_${VERSION}.orig.tar.gz --exclude=${SRC_DIR}/debian ${SRC_DIR})

builddeb:
make debianize
ifndef NO_SIGN
(cd DEBUILD/${SRC_DIR}; debuild)
else
(cd DEBUILD/${SRC_DIR}; debuild -uc -us)
endif

clean:
rm -fr DEBUILD
5 changes: 5 additions & 0 deletions packaging/debian/debian/changelog
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
ykfde (0.1) UNRELEASED; urgency=medium

* Added Debian/Ubuntu support

-- crispy-landslide <[email protected]> Tue, 11 Jan 2022 21:28:25 -0800
1 change: 1 addition & 0 deletions packaging/debian/debian/compat
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
11
16 changes: 16 additions & 0 deletions packaging/debian/debian/control
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
Source: ykfde
Section: admin
Priority: optional
Maintainer: Andrei Gherzan <https://github.com/agherzan>
Build-Depends: debhelper (>= 11), dh-exec
Standards-Version: 4.1.4
Homepage: https://github.com/agherzan/yubikey-full-disk-encryption

Package: ykfde
Architecture: all
Depends: cryptsetup, initramfs-tools, yubikey-personalization (>= 1.5), udisks2, expect, ${misc:Depends}
Description: This project leverages a YubiKey HMAC-SHA1 Challenge-Response
mode for creating strong LUKS encrypted volume passphrases.
It can be used in intramfs stage during boot process as well as on running system.
.
Requires Yubikey 4 or newer.
7 changes: 7 additions & 0 deletions packaging/debian/debian/copyright
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Copyright 2017 Andrei Gherzan

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
17 changes: 17 additions & 0 deletions packaging/debian/debian/rules
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#! /usr/bin/make -f

%:
dh $@

override_dh_auto_build:
# nothing to build

override_dh_install:
dh_install
install -D -o root -g root -m755 hooks/ykfde debian/ykfde/usr/share/initramfs-tools/hooks/ykfde
install -D -o root -g root -m755 key-script debian/ykfde/usr/share/ykfde/ykfde-keyscript
install -D -o root -g root -m755 ykfde-open debian/ykfde/usr/bin/ykfde-open
install -D -o root -g root -m755 ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll
install -D -o root -g root -m755 ykfde-format debian/ykfde/usr/bin/ykfde-format
install -D -o root -g root -m644 README.md debian/ykfde/usr/share/doc/ykfde/README.md
install -D -o root -g root -m644 ykfde.conf debian/ykfde/etc/ykfde.conf
22 changes: 22 additions & 0 deletions packaging/debian/debian/ykfde.postinst
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#! /bin/sh

set -e

case "$1" in
configure)
if [ -x /usr/sbin/update-initramfs ]; then
echo
update-initramfs -u
fi
;;
abort-upgrade|abort-remove|abort-deconfigure)

;;

*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac

#DEBHELPER#
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
28 changes: 28 additions & 0 deletions src/debian/hooks/ykfde
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#!/bin/sh

set -e

PREREQ="cryptroot"

prereqs()
{
echo "$PREREQ"
}

case $1 in
prereqs)
prereqs
exit 0
;;
esac

. /usr/share/initramfs-tools/hook-functions
. /etc/ykfde.conf

copy_exec /usr/bin/ykchalresp
copy_exec /usr/bin/ykinfo
copy_exec /usr/bin/sha256sum
cp /usr/share/ykfde/ykfde-keyscript "${DESTDIR}/sbin/ykfde-keyscript"
cp /etc/ykfde.conf "${DESTDIR}/etc/ykfde.conf"

exit 0
Loading