Unlock LUKS disk by Nitrokey on boot using the password vault which is built in Nitrokey Pro and Nitrokey Storage.
Support for Nitrokey Start is coming shortly. It works by adding support for keyfiles, i.e., the LUKS password would be stored in an encrypted file within the initramfs which is decrypted during the boot by Nitrokey.
This method will of course work with Nitrokey Pro and Nitrokey Storage also.
This is an early version, and I have only tested it personally by running it on my computer.
YOU CAN MAKE YOUR DEBIAN UNBOOTABLE IF YOU MESS UP THE crypttab or initramfs SO BE CAREFUL. You have been warned.
Please take backups of any important files and make sure that you have backup initramfs which you can use as a fallback if the installation messes your boot up for some reason.
This package could potentially work with Ubuntu also, but I have not tested it.
Moreover, the directory structure is not compliant with Debian project guidelines. I will be improving the package structure, code quality and make sure that this also works with Ubuntu shortly so stay tuned.
Before the installation, you must do some preparation steps.
First, add a new password to your Nitrokey, the easiest way is to use nitro-app. Go to password safe and add a new slot, name the slot as LUKS and generate the password for the slot and save it.
Next, add the same password to your LUKS disk, i.e. # cryptsetup luksAddKey /dev/<device> and make sure you use the same key as you stored into your Nitrokeys LUKS slot.
Note that IT IS IMPORTANT THAT THE SLOT NAME IN THE NITROKEY IS LUKS OTHERWISE YOU CAN NOT UNLOCK YOUR DISK BY NITROKEY!
Make sure you have devscripts, libhidapi-dev and cmake installed.
Clone this repo and run make debianize.
After this step, you will find nitroluks_0.1-1_arch.deb the package under DEBUILD directory.
Install it by running dpkg -i nitroluks_0.1-1_arch.deb
This package has dependency to libhidapi-libusb0 which can be installed by running apt install libhidapi-libusb0
After these steps, edit your /etc/crypttab file and add keyscript=/usr/bin/keyscript.sh to your luks entry. Please consult the crypttab manual for more information.
See nitroluks_crypttab as an example how the crypttab file should look.
Run update-initramfs -u
If the Nitrokey is not connected during the boot, the PIN is locked, or something else blocks you for using the Nitrokey, you will get the default LUKS password prompt which you can use to unlock the disk.
If you have multiple slots named as LUKS in your Nitrokey, the first one will be used.
This repo also contains a copy of libnitrokey which can be found here.