forked from cornelinux/yubikey-luks
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathfido2-luks-enroll
executable file
·75 lines (64 loc) · 1.73 KB
/
fido2-luks-enroll
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/bin/sh
CLEAR_SLOT=0
USE_PIN=true
set -e
. /usr/share/fido2-luks/fido2-utils.sh
fido2_enroll() {
R=$(printf '%s\n' "$assertion" | tail -1)
}
if [ "$(id -u)" -ne 0 ]; then
echo "You must be root." 1>&2
exit 1
fi
while getopts ":s:d:hcnv" opt; do
case $opt in
d)
DISK=$OPTARG
echo "setting disk to $OPTARG."
;;
c)
CLEAR_SLOT=1
echo "clearing slot"
;;
n)
USE_PIN=false
echo "not using PIN"
;;
h)
echo
echo " -d <partition>: set the partition"
echo " -c : clear all fido2 slots prior to writing"
echo " -n : don't ask for PIN when authenticating"
echo
exit 1
;;
\?)
echo "Invalid option: -$OPTARG" >&2
;;
esac
done
if [ "$CLEAR_SLOT" = "1" ]; then
echo "Killing FIDO2 LUKS slots on device $DISK"
systemd-cryptenroll --wipe-slot=fido2 "$DISK"
fi
num_fido2_tokens=$(cryptsetup luksDump "$DISK" | grep -E '^\s+[0-9]+: systemd-fido2$' | wc -l)
if [ $num_fido2_tokens -gt 0 ] ; then
echo "FIDO2 token already enrolled. Refusing to enroll another one."
exit 1
fi
while true ; do
if fido2_device; then break; fi
printf "Please insert a FIDO2 token and press enter."
read -r _ <&1
done
systemd-cryptenroll "$DISK" \
--fido2-device=auto \
--fido2-with-client-pin=$USE_PIN \
--fido2-with-user-presence=true
echo
echo "FIDO2 token enrolled."
echo "In order to be able to decrypt $DISK using your FIDO2 token at boot time:"
echo "- append 'keyscript=/usr/share/fido2-luks/fido2-luks-keyscript'"
echo " to the options section of the entry in /etc/crypttab corresponding to $DISK, and then"
echo "- run 'update-initramfs -u'."
exit 0