tux19
/
nixos-configuration
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

prevent luks key change after decryption to support multiple yubikeys

Browse Source 
This means that the salt in the /boot/crypt-storage/default is not
updated anymore.
main
Christian Ott 2 years ago
parent fb0479665f
commit d161b56980
2 changed files with 17 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      hardware-configuration.nix
  2. 12
      my-luksroot.nix

4
hardware-configuration.nix
Unescape View File

@ -4,8 +4,11 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
disabledModules = ["system/boot/luksroot.nix"];
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
./my-luksroot.nix
]; ];
boot.initrd = { boot.initrd = {
@ -23,6 +26,7 @@
gracePeriod = 30; gracePeriod = 30;
keyLength = 64; keyLength = 64;
saltLength = 16; saltLength = 16;
replaceKey = false;
storage = { storage = {
device = "/dev/disk/by-partlabel/disk-main-ESP"; device = "/dev/disk/by-partlabel/disk-main-ESP";

12
my-luksroot.nix
Unescape View File

@ -275,6 +275,7 @@ let
local new_challenge local new_challenge
local new_response local new_response
local new_k_luks local new_k_luks
local replace_key
mount -t ${dev.yubikey.storage.fsType} ${dev.yubikey.storage.device} /crypt-storage || \ mount -t ${dev.yubikey.storage.fsType} ${dev.yubikey.storage.device} /crypt-storage || \
die "Failed to mount YubiKey salt storage device" die "Failed to mount YubiKey salt storage device"
@ -283,6 +284,7 @@ let
iterations="$(cat /crypt-storage${dev.yubikey.storage.path} | sed -n 2p | tr -d '\n')" iterations="$(cat /crypt-storage${dev.yubikey.storage.path} | sed -n 2p | tr -d '\n')"
challenge="$(echo -n $salt | openssl-wrap dgst -binary -sha512 | rbtohex)" challenge="$(echo -n $salt | openssl-wrap dgst -binary -sha512 | rbtohex)"
response="$(ykchalresp -${toString dev.yubikey.slot} -x $challenge 2>/dev/null)" response="$(ykchalresp -${toString dev.yubikey.slot} -x $challenge 2>/dev/null)"
replace_key="${toString dev.yubikey.replaceKey}"
for try in $(seq 3); do for try in $(seq 3); do
${optionalString dev.yubikey.twoFactor '' ${optionalString dev.yubikey.twoFactor ''
@ -329,10 +331,12 @@ let
else else
opened=false opened=false
echo "Authentication failed!" echo "Authentication failed!"
rm -f /crypt-ramfs/passphrase
fi fi
done done
[ "$opened" == false ] && die "Maximum authentication errors reached" [ "$opened" == false ] && die "Maximum authentication errors reached"
if [ "$replace_key" == "true" ]; then
echo -n "Gathering entropy for new salt (please enter random keys to generate entropy if this blocks for long)..." echo -n "Gathering entropy for new salt (please enter random keys to generate entropy if this blocks for long)..."
for i in $(seq ${toString dev.yubikey.saltLength}); do for i in $(seq ${toString dev.yubikey.saltLength}); do
@ -374,6 +378,8 @@ let
fi fi
rm -f /crypt-ramfs/new_key rm -f /crypt-ramfs/new_key
fi
umount /crypt-storage umount /crypt-storage
} }
@ -825,6 +831,12 @@ in
description = lib.mdDoc "Time in seconds to wait for the YubiKey."; description = lib.mdDoc "Time in seconds to wait for the YubiKey.";
}; };
replaceKey = mkOption {
default = true;
type = types.bool;
description = lib.mdDoc "Whether to replace the salt and luks key after a YubiKey was used. => Only one YubiKey can be used";
};
/* TODO: Add to the documentation of the current module: /* TODO: Add to the documentation of the current module:
Options related to the storing the salt. Options related to the storing the salt.

Write Preview
Loading…
Cancel
Save

Powered by TurnKey Linux.