AidanGG
commented
2 years ago Hi @anatol I managed to get this working. I started by generating an RSA2048 key according to Poettering's blog https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html (reference for the commands are here: https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html):
ykman piv reset
ykman piv keys generate -a RSA2048 9d pubkey.pem
ykman piv certificates generate --subject "YUBIKEY PIV CERT SUBJECT" 9d pubkey.pem
rm pubkey.pemwhich enrols into slot 9d of the YubiKey. Next, I found that systemd uses p11-kit, so I need to let it use libykcs11.so. Do this by creating /etc/pkcs11/modules/ykcs11.module with the contents:
module: /usr/lib/libykcs11.so(edit: or install ykcs11-p11-kit-module from AUR).
Then I list the tokens (adapted from this blog post https://vtimofeenko.com/posts/unlocking-luks2-with-x509-certificate-on-nitrokey-storage/):
p11tool --list-all # Set the YubiKey token as $TOKEN_URI
p11tool --list-all $TOKEN_URIYou have to take note of the URL for the correct cert. For the 9d slot I used above, it is the one with the label X.509 Certificate for Key Management. You must then use it as the URI to systemd-cryptenroll:
sudo systemd-cryptenroll --pkcs11-token-uri=$CERT_URI /dev/loop0
c3Ls1US
Forking discussion off #96
Booster has
systemd-tpm2andsystemd-fido2tokens support. It would be great to add thesystemd-pkcs11tokens as well.Booster needs a way to communicate with the pkcs11 device using some command-line tool and perform the same operation as systemd's code does.
Here is what I have
Now I am trying to use systemd-cryptsetup and it fails:
So it is not clear for me what is going on here.