diff options
author | Christian Hesse <mail@eworm.de> | 2015-01-06 20:56:19 +0100 |
---|---|---|
committer | Christian Hesse <mail@eworm.de> | 2015-01-06 20:56:19 +0100 |
commit | 06fc9a2ae377c1d90ade46302c21dd886397a2af (patch) | |
tree | a1223803e3c96733b2ad1901a00542ec0b7334d7 | |
parent | e9810f76dae9471d61d3ca475a762d9d64de08bc (diff) | |
parent | c573cf05158b38c273727898d472280b7e858b51 (diff) | |
download | mkinitcpio-ykfde-06fc9a2ae377c1d90ade46302c21dd886397a2af.tar.gz mkinitcpio-ykfde-06fc9a2ae377c1d90ade46302c21dd886397a2af.tar.zst |
Merge pull request #2 from nj0y/dev
Update Documentation from Dracut & modified dracut
-rw-r--r-- | README-dracut.md | 62 | ||||
-rwxr-xr-x | dracut/module-setup.sh | 1 |
2 files changed, 56 insertions, 7 deletions
diff --git a/README-dracut.md b/README-dracut.md index bdbe718..9eb7664 100644 --- a/README-dracut.md +++ b/README-dracut.md @@ -9,12 +9,21 @@ Requirements To compile and use yubikey full disk encryption you need: -[...] +* libyubikey-devel +* ykpers-devel +* iniparser-devel +* libarchive-devel +* cryptsetup-devel +* python-markdown +* systemd-devel Build and install ----------------- -Building and installing is very easy. Just run: +Building and installing is very easy. Make sure you have a Softlink from markdown to markdown_py +> ln -s /bin/markdown_py /bin/markdown + +Just run: > make @@ -28,10 +37,12 @@ Usage ----- Make sure systemd knows about your encrypted device by -adding a line to `/etc/crypttab.initramfs`. It should read like: +adding a line to `/etc/crypttab`. It should read like: > `mapping-name` /dev/`LUKS-device` - +Normally, there is already an entry for your device. + Update `/etc/ykfde.conf` with correct settings. Add `mapping-name` from above to `device name` in the `general` section. Then add a new section with your key's decimal serial number containing the key slot setting. @@ -56,10 +67,47 @@ This will store a challenge in `/etc/ykfde.d/` and add a new slot to your LUKS device. When `ykfde` asks for a password it requires a valid password from available slot. -[...] +Build the dracut: + +> dracut -f + +Now you have two choices. If you want, that the challenges are updated every boot, go on. else stop here. + +### change challenges on boot + +To change the challenges every boot it takes too long to generate whole new initramfs. So we load an additional initram with the bootloader. + +Build the cpio archive with the challenges: + +> ykfde-cpio + +Setup your bootloader with the the additional initram '/boot/ykfde-challenges.img' + +#### Setup GRUB2 + +For ex. change /boot/grub2/grub.cfg + + initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img + +to + + initrd /initramfs-3.10.0-123.13.2.el7.x86_64.img /ykfde-challenges.img + + +with EFI /boot/efi/../grub.cfg + + initrdefi /initramfs-3.17.7-300.fc21.x86_64.img + +to + + initrdefi /initramfs-3.17.7-300.fc21.x86_64.img /ykfde-challenges.img + +### enable service + +Enable `systemd` service `ykfde-cpio.service`. it generate every boot a new challenge and updates the initram `ykfde-challenges.img` and the LUKS passphrase. + +*Be carefully:* Do not enable if you haven't setup the bootloader with the ykfde-challenges.img. If you do, you have to rebuild with dracut manually every time the service is executed. + -Additionally enable `systemd` service `ykfde-cpio.service` and make your -bootloader load the new `cpio` image `/boot/ykfde-challenges.img` (in -addition to your usual initramfs). Reboot and have fun! diff --git a/dracut/module-setup.sh b/dracut/module-setup.sh index 86fcd32..d907ba7 100755 --- a/dracut/module-setup.sh +++ b/dracut/module-setup.sh @@ -15,6 +15,7 @@ install() { inst_simple "$moddir/ykfde.sh" /sbin/ykfde.sh inst_simple /usr/lib/udev/ykfde inst_simple /etc/ykfde.conf + inst_dir /etc/ykfde.d/* dracut_need_initqueue } |