forked from cornelinux/yubikey-luks
/
yubikey-luks-open
62 lines (53 loc) · 1.41 KB
/
yubikey-luks-open
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/bin/sh
DISK="/dev/sda3"
NAME="yubikey-luks"
DBG=0
set -e
. /etc/ykluks.cfg
if [ "$(id -u)" -ne 0 ]; then
echo "You must be root." 1>&2
exit 1
fi
while getopts ":d:n:hv" opt; do
case $opt in
d)
DISK=$OPTARG
echo "setting disk to $OPTARG."
;;
n)
NAME=$OPTARG
echo "setting name to $OPTARG."
;;
v) DBG=1
echo "debugging enabled"
;;
h)
echo
echo " -d <partition>: select existing partition"
echo " -n <name> : set the new container name"
echo " -v : show input/output in cleartext"
echo
exit 1
;;
\?)
echo "Invalid option: -$OPTARG" >&2
;;
esac
done
echo "This script will try opening $NAME LUKS container on drive $DISK . If this is not what you intended, exit now!"
P1=$(/lib/cryptsetup/askpass "Please insert a yubikey and enter password created with yubikey-luks-enroll.")
if [ "$DBG" = "1" ]; then echo "Password: $P1"; fi
if [ "$HASH" = "1" ]; then
P1=$(printf %s "$P1" | sha256sum | awk '{print $1}')
if [ "$DBG" = "1" ]; then echo "Password hash: $P1"; fi
fi
R="$(ykchalresp -2 "$P1" 2>/dev/null || true)"
if [ "$DBG" = "1" ]; then echo "Yubikey response: $R"; fi
if [ "$CONCATENATE" = "1" ]; then
printf %s "$P1$R" | cryptsetup luksOpen "$DISK" "$NAME" 2>&1;
if [ "$DBG" = "1" ]; then echo "LUKS key: $P1$R"; fi
else
printf %s "$R" | cryptsetup luksOpen "$DISK" "$NAME" 2>&1;
if [ "$DBG" = "1" ]; then echo "LUKS key: $R"; fi
fi
exit 0