nitrokey start

[drzraf]

Is there a way to mock nitrokey start features in order to provide similar luks abilities with this key?

[artosan]

To the best of my knowledge, nitrokey start does not have a static password safe built in so, therefore, it is not possible.

However, one possibility would be to use OpenGPG to encrypt the password file, decrypt that during the boot by using nitrokey and recover the password in that way. In this case, the password would be stored in some location which can be accessed during boot e.g., external USB key.

Or did you mean something else by mocking?

[drzraf]

Yes, that's what I was thinking. Encrypted password could even be stored in the boot/EFI partition. Example: https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu/ (see "Fetch decrypt_luks.sh and gpg_luks and store these files as well.") ... but it lack unified distribution.

[artosan]

I see what I can do, this would be a nice addition and that example you gave is a good starting point!

Stay tuned, I might implement this in near future.

[artosan]

Ok, I was working with this and I got it to work.

The way it works is following: The keyfile is copied into the initramfs where it is read during boot and decrypted and the decrypted password is then used to unlock the LUKS disk.

I will still do some code cleanup and add some logic to the installation scripts etc.

Ill push it here shortly.

[drzraf]

Great! curious to see it.

[fourlexboehm]

Any idea of when this will be added? I might try to implement it myself for Archlinux.

[artosan]

I have an initial implementation of this feature and Ill share it with you when I am back from vacation at the beginning of January.

On Tue, 18 Dec 2018 at 19.21, fourlexboehm notifications@github.com wrote:

Any idea of when this will be added? I might try to implement it myself for Archlinux.

— You are receiving this because you were assigned.

Reply to this email directly, view it on GitHub https://github.com/artosan/nitroluks/issues/1#issuecomment-448187718, or mute the thread https://github.com/notifications/unsubscribe-auth/ABlWdIYGbndfGmM1VcXYJmfQd24_i_xfks5u6M-9gaJpZM4RZYSi .

[fourlexboehm]

Are you back from your vacation? Thanks for the help

[artosan]

I added the initial implementation which can be found here https://github.com/artosan/nitroluks/tree/gpg-support

Now, it has been a while since I last tried it and it requires manual editing of the initramfs-hook.

Please try it out (in VM preferably) and give feedback if it is not working, Ill start working on this now since now I have more time available.

The documentation is not yet complete so please let me know if you can't figure out how to get it to work before I have updated it.