-
Notifications
You must be signed in to change notification settings - Fork 8
/
yk-luks-open.sh
executable file
·90 lines (77 loc) · 2.06 KB
/
yk-luks-open.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/usr/bin/env bash
function usage {
cat >&2 <<EOF
Usage: yk-luks-open.sh [OPTIONS] DEVICE
Mount a LUKS encrypted filesystem with Yubikey on NixOS
Options:
-c, --storage=file Path of the salt on and iterations on the unencrypted device
-l, --key-length=number Length of the LUKS slot key
-p, --passphrase Prompt for 2FA passphrase
-s, --slot=number Which slot on the YubiKey to challenge.
-h, --help Show this help
EOF
}
# Get CLI options
options=$(getopt --options "c:l:ps:h" --long "key-length:,passphrase,slot:,storage:,help" -- "$@")
# Inspect CLI options
eval set -- "$options"
while true; do
case $1 in
-c|--storage)
STORAGE=$2
shift 2
;;
-l|--key-length)
KEY_LENGTH=$2
shift 2
;;
-p|--passphrase)
PROMPT_PHRASE=
shift
;;
-s|--slot)
SLOT=$2
shift 2
;;
-h|--help)
usage
exit 0
;;
--)
shift
break
;;
*)
echo -e "Unhandled option '$1'"
exit 2
esac
done
# Inspect the device
DEVICE=$1
if [[ -z "$DEVICE" ]]; then
echo -e "Missing required option: DEVICE"
usage
exit 1
fi
# Set defaults from specified options
: ${STORAGE:=/mnt/boot/crypt-storage/default}
: ${KEY_LENGTH:=512}
: ${SLOT:=1}
# Prompt for the passphrase
if [[ "${PROMPT_PHRASE+DEFINED}" ]]; then
read -s -p "Passphrase: " USER_PASSPHRASE
echo
else
USER_PASSPHRASE=
fi
# Look up salt and iterations
SALT=$(awk 'NR == 1 { print }' < "$STORAGE")
ITERATIONS=$(awk 'NR == 2 { print }' < "$STORAGE")
# Calculate LUKS key
CHALLENGE=$(echo -n $SALT | openssl dgst -binary -sha512 | rbtohex)
RESPONSE=$(ykchalresp -2 -x $CHALLENGE 2>/dev/null)
LUKS_KEY="$(echo "$USER_PASSPHRASE" | pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $RESPONSE | rbtohex)"
# Open the LUKS device
echo -n "$LUKS_KEY" \
| hextorb \
| cryptsetup open "$DEVICE" encrypted --key-file=-