Open anatol opened 2 years ago
Hi @anatol I managed to get this working. I started by generating an RSA2048 key according to Poettering's blog https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html (reference for the commands are here: https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html):
ykman piv reset
ykman piv keys generate -a RSA2048 9d pubkey.pem
ykman piv certificates generate --subject "YUBIKEY PIV CERT SUBJECT" 9d pubkey.pem
rm pubkey.pem
which enrols into slot 9d
of the YubiKey. Next, I found that systemd uses p11-kit
, so I need to let it use libykcs11.so
. Do this by creating /etc/pkcs11/modules/ykcs11.module
with the contents:
module: /usr/lib/libykcs11.so
(edit: or install ykcs11-p11-kit-module
from AUR).
Then I list the tokens (adapted from this blog post https://vtimofeenko.com/posts/unlocking-luks2-with-x509-certificate-on-nitrokey-storage/):
p11tool --list-all # Set the YubiKey token as $TOKEN_URI
p11tool --list-all $TOKEN_URI
You have to take note of the URL
for the correct cert. For the 9d
slot I used above, it is the one with the label X.509 Certificate for Key Management
. You must then use it as the URI to systemd-cryptenroll:
sudo systemd-cryptenroll --pkcs11-token-uri=$CERT_URI /dev/loop0
I'm against this. While PKCS#11 support would be nice, it's not clear to me how common the usage is to justify the feature. Besides, a more contemporary protocol/standard such as FIDO2 should generally be preferred instead as it's modern, future proof and requires no additional preparation.
Forking discussion off #96
Booster has
systemd-tpm2
andsystemd-fido2
tokens support. It would be great to add thesystemd-pkcs11
tokens as well.Booster needs a way to communicate with the pkcs11 device using some command-line tool and perform the same operation as systemd's code does.
Here is what I have
Now I am trying to use systemd-cryptsetup and it fails:
So it is not clear for me what is going on here.