Written on September 6, 2015
It turns out smartcards are cool. It also turns out there is no up to date documentation on using one to unlock an encrypted /root partition during boot. Frustrated by this, I got a hold of a smartcard and dug in to figure out things myself. After all, how many 35+ character passwords am I supposed to remember?
The first card I purchased (https://www.amazon.com/PIVKey-C910-PKI-Smart-Card/dp/B00SJV2CNK/) was a dud. I mean you had to have Windows to set it up. Ugh. Browsing around I found an IT security company (hypersecu.com) that was selling cards individually (11 Canadian Dollars each). Their website even mentioned OpenSC, so I gave them a shot.
There was no documentation with the card I purchased, but with the
opensc package I was able determine that what I had was a Feitian PKI Card (https://github.com/OpenSC/OpenSC/wiki/Feitian-PKI-card). The strongest RSA key pair that can be generated & stored on it is 2048 bits. So I guess it’s good if enough for playing around with.
I tested out various smartcard operations (initializations, key pair generation, signing & verifying a hash, and encrypting & decrypting some text). Things seemed to work fine. I also came across this helpful blog post on using a smartcard to unlock a LUKS partition: https://blog.g3rt.nl/luks-smartcard-or-token.html.
But how do I unlock the /root partition? The initramfs is a CPIO archive that you can rebuild by running
update-initramfs. That command uses scripts in
/usr/share/initramfs-tools when it’s doing its thing. Digging through there (grepping), I found some files related to opensc - I knew I was on to something.
By reading through the discovered initramfs hooks, adding some print statements to them, rerunning
cpio -idf < initramfs to inspect the initramfs, and restarting my VM many times, I was able to get it working. I’ve placed my instructions here https://github.com/ramann/smartcard-luks (choose the right branch), and have used them to set up three computers with encrypted root partitions that I can unlock with my smartcard. Pretty cool.