some notes to myself
Written on September 6, 2015
It turns out smartcards are cool. It also turns out there is no up to date documentation on using one to unlock an encrypted /root partition during boot. Frustrated by this, I got a hold of a smartcard and dug in to figure out things myself. After all, how many 35+ character passwords am I supposed to remember?
The first card I purchased (https://www.amazon.com/PIVKey-C910-PKI-Smart-Card/dp/B00SJV2CNK/) was a dud. I mean you had to have Windows to set it up. Ugh. Browsing around I found an IT security company (hypersecu.com) that was selling cards individually (11 Canadian Dollars each). Their website even mentioned OpenSC, so I gave them a shot.
There was no documentation with the card I purchased, but with the opensc
package I was able determine that what I had was a Feitian PKI Card (https://github.com/OpenSC/OpenSC/wiki/Feitian-PKI-card). The strongest RSA key pair that can be generated & stored on it is 2048 bits. So I guess it’s good if enough for playing around with.
I tested out various smartcard operations (initializations, key pair generation, signing & verifying a hash, and encrypting & decrypting some text). Things seemed to work fine. I also came across this helpful blog post on using a smartcard to unlock a LUKS partition: https://blog.g3rt.nl/luks-smartcard-or-token.html.
But how do I unlock the /root partition? The initramfs is a CPIO archive that you can rebuild by running update-initramfs
. That command uses scripts in /usr/share/initramfs-tools
when it’s doing its thing. Digging through there (grepping), I found some files related to opensc - I knew I was on to something.
By reading through the discovered initramfs hooks, adding some print statements to them, rerunning update-initramfs
, running cpio -idf < initramfs
to inspect the initramfs, and restarting my VM many times, I was able to get it working. I’ve placed my instructions here https://github.com/ramann/smartcard-luks (choose the right branch), and have used them to set up three computers with encrypted root partitions that I can unlock with my smartcard. Pretty cool.