Full disk encryption with Feitian PKI Card/Token and LUKS [Fixed]

Sure, we did some test too and we would love to see this feature.
The problem with the Debian script if pkcs15_crypt which is broken in OpenSC and needs some work.

I will get back to you with more information soon.

This is the diff of the relevant things in my /etc for luks setup.
Yes, the hook for the opensc related stuff is called "strace" in my system.
Look at the comments of the last two files.
This with the relevant howto should help you to bootstrap an ubuntu 11.10.

diff --git a/crypttab b/crypttab
index 99080be..f6e3e29 100644
--- a/crypttab
+++ b/crypttab
@@ -1 +1,2 @@
-sda2_crypt UUID=dcbd71cb-d637-422c-985f-39c7c3903b61 none luks
+#sda2_crypt UUID=dcbd71cb-d637-422c-985f-39c7c3903b61 none luks
+sda2_crypt UUID=dcbd71cb-d637-422c-985f-39c7c3903b61 /etc/keys/lukskey.enc luks,keyscript=decrypt_opensc
diff --git a/initramfs-tools/hooks/strace b/initramfs-tools/hooks/strace
new file mode 100755
index 0000000..af49aea
--- /dev/null
+++ b/initramfs-tools/hooks/strace
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+# Hooks for loading smartcard reading software into the initramfs
+
+copy_exec /usr/bin/strace
+copy_exec /lib/libpcsclite.so.1
+copy_exec /lib/x86_64-linux-gnu/libgcc_s.so.1
+copy_exec /lib/x86_64-linux-gnu/libusb-1.0.so.0
+copy_exec /etc/libccid_Info.plist
+
diff --git a/initramfs-tools/modules b/initramfs-tools/modules
index 9aa4646..c38b76d 100644
--- a/initramfs-tools/modules
+++ b/initramfs-tools/modules
@@ -8,3 +8,4 @@
#
# raid1
# sd_mod
+cryptopensc
diff --git a/initramfs-tools/scripts/local-bottom/cryptopensc2 b/initramfs-tools/scripts/local-bottom/cryptopensc2
new file mode 100755
index 0000000..475250c
--- /dev/null
+++ b/initramfs-tools/scripts/local-bottom/cryptopensc2
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+set -e
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+
+# Hook for stopping smartcard reading software
+
+if [ ! -e /usr/sbin/pcscd ]; then
+ echo "no pcscd"
+ exit 0
+fi
+
+# Start pcscd daemon nomrally. If it was started in foregound, chances are
+# it'll harmlessly complain about missing /var/run/pcscd* files due to the root
+# filessytem being remounted.
+kill -9 `ps ax |grep pcsc|grep -v grep|awk '{print $1}'`
+
diff --git a/keys/lukskey.enc b/keys/lukskey.enc
new file mode 100644
index 0000000..77c93c7
--- /dev/null
+++ b/keys/lukskey.enc
@@ -0,0 +1,3 @@
#you want to place the luks key encrypted with your encryption key here.
\ No newline at end of file
diff --git a/reader.conf b/reader.conf
new file mode 100644
index 0000000..e69de29
#just touch /etc/reader.conf

Maybe I wasn't clear: luks encryption is workinig for me with the above detailed changes to a ubuntu 10.10.

Dear gooze,

You are insulting me.
I am very close to be saint of emacs. Only I use vi and the following non-free software:
- adobe flash plugin
- The Incredible Machine
And none of the above have anything to do with smart cards.

Sorry, we didn't mean to insult you :)

Thanks for your solution.
You are the happy winner of one free ePass2003 for submitting us a solution for using LUKS.

Let the force be with you!

Hi,

thanks for the script!

I made some improvements (working here on Ubuntu oneiric), like splash screen integration for pin entry, and fallback to passphrase unlock in case smartcard unlock fails.

If you are too slow while inserting the card or typed in a wrong PIN, simply let the passphrase prompt fail (i.e. by pressing return). Smart card unlock will be offered again.

Edit: new decrypt_opensc diff


###------- /etc/initramfs-tools/modules -------
### Added depencies for libccidtwin.so based PCMCIA readers
###
--- a/etc/initramfs-tools/modules
+++ b/etc/initramfs-tools/modules
@@ -9,3 +9,5 @@
#
# raid1
# sd_mod
+pcmcia
+serial_cs

###------- /etc/initramfs-tools/hooks/strace -------
### Added depencies for libccidtwin.so based PCMCIA readers
###
### Please exec: ln -s /etc/reader.conf /etc/reader.conf.d/reader.conf
### And don't forget to make this script executable.
###
--- a/etc/initramfs-tools/hooks/strace
+++ b/etc/initramfs-tools/hooks/strace
@@ -20,6 +20,8 @@ esac

# Hooks for loading smartcard reading software into the initramfs

+copy_exec /etc/pcmcia/config.opts
+copy_exec /etc/reader.conf.d/reader.conf
copy_exec /usr/bin/strace
copy_exec /lib/libpcsclite.so.1
copy_exec /lib/i386-linux-gnu/libgcc_s.so.1

###------- /lib/cryptsetup/scripts/decrypt_opensc -------
### Added support for splash screens, use only a specific key, reduced reader timeout (5 seconds).
###
### IMPORTANT: Replace ENTER_YOUR_KEY_ID_HERE with the key id to use!
###
--- a/lib/cryptsetup/scripts/decrypt_opensc
+++ b/lib/cryptsetup/scripts/decrypt_opensc
@@ -9,6 +9,9 @@
# Although opensc-tool --help reports that there is a --wait option, it doesn't
# seem to be implemented.

+# Set key id to unlock here
+keyid=ENTER_YOUR_KEY_ID_HERE
+
check_card() {
cardfound=0

@@ -23,7 +26,7 @@ wait_card() {
if [ $cardfound = 0 ] ; then
echo "Waiting for Smart Card..." >&2
tries=0
- while [ $cardfound = 0 -a $tries -lt 60 ] ; do
+ while [ $cardfound = 0 -a $tries -lt 5 ] ; do
sleep 1
check_card
tries=$(($tries + 1))
@@ -39,9 +42,16 @@ wait_card
if [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then
# Get pin number from usplash
/sbin/usplash_write "INPUTQUIET Enter pin for $crypttarget ($cryptsource): "
- /usr/bin/pkcs15-crypt --decipher --input $1 --pkcs1 --raw --pin "$(cat /dev/.initramfs/usplash_outfifo)"
+ /usr/bin/pkcs15-crypt --decipher --key $keyid --input $1 --pkcs1 --raw --pin "$(cat /dev/.initramfs/usplash_outfifo)"
else
- # Get pin number from console
- /usr/bin/pkcs15-crypt --decipher --input $1 --pkcs1 --raw < /dev/console 2> /dev/console
+ askprompt="Enter smart card PIN for $crypttarget ($cryptsource): "
+ if [ -x /bin/plymouth ] && plymouth --ping; then
+ /bin/plymouth ask-for-password --prompt "$askprompt" | /usr/bin/pkcs15-crypt --decipher --key $keyid --input $1 --pkcs1 --raw -
+ elif [ -x /lib/udev/watershed ] && [ -x /lib/cryptsetup/askpass ]; then
+ /lib/udev/watershed /lib/cryptsetup/askpass "$askprompt" | /usr/bin/pkcs15-crypt --decipher --key $keyid --input $1 --pkcs1 --r
+ else
+ # Get pin number from console
+ /usr/bin/pkcs15-crypt --decipher --input $1 --pkcs1 --raw < /dev/console 2> /dev/console
+ fi
fi
exit $?

###------- /usr/share/initramfs-tools/scripts/local-top/cryptroot -------
### Added support for splash screens, fallback to passphrase if smart card unlock fails.
###
--- a/usr/share/initramfs-tools/scripts/local-top/cryptroot
+++ b/usr/share/initramfs-tools/scripts/local-top/cryptroot
@@ -69,6 +69,7 @@ parse_options()
cryptkeyscript=""
cryptkey="" # This is only used as an argument to an eventual keyscript
crypttries=3
+ cryptfallback=1
cryptrootdev=""
CRYPTTAB_OPTIONS=""

@@ -283,8 +284,28 @@ setup_mapping()

if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
$cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then
- message "cryptsetup: cryptsetup failed, bad password or options?"
- continue
+ if [ $cryptfallback -le 0 ]; then
+ message "cryptsetup: cryptsetup failed, bad password or options?"
+ continue;
+ else
+ message "cryptsetup: cryptsetup failed, falling back to passphrase unlock!"
+ /bin/sleep 3
+
+ FB_cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
+ if [ -x /bin/plymouth ] && plymouth --ping; then
+ FB_cryptkeyscript="plymouth ask-for-password --prompt"
+ FB_cryptkey=$(echo -e "$FB_cryptkey")
+ else
+ FB_cryptkeyscript="/lib/cryptsetup/askpass"
+ fi
+
+
+ if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
+ $FB_cryptkeyscript "$FB_cryptkey" | $cryptcreate --key-file=- ; then
+ message "cryptsetup: cryptsetup failed, bad password or options?"
+ continue;
+ fi
+ fi
fi

if [ ! -e "$NEWROOT" ]; then

Thank you,

I have sent you a package containing a readme and example files.

Some modified files like /usr/share/initramfs-tools/scripts/local-top/cryptroot are very long, posting it here looks a bit chaotic.

Could you please upload & share your patch with us via dropbox/box.net or similia ? Thank you .

Hi, continuing my work I fixed a bug in "cryptroot" script preventing it from honoring the "tries" option in /etc/crypttab (the times it should ask for password before giving up).

However I can't add passphrase unlocking fallback in case of script assisted drive unlocking (as with decrypt_opensc); anyone willing to help please?

You can find my revised scripts here:

http://dl.dropbox.com/u/35396310/decrypt_opensc
http://dl.dropbox.com/u/35396310/cryptroot

copy "decrypt_opensc" in "/lib/cryptsetup/scripts/"
copy "cryptroot" in "/usr/share/initramfs-tools/scripts/local-top/"
set them executable with "chmod +x [file]"
then do "update-initramfs -u"

Alex

Thank you so much degrunert, you are perfectly right about key id, maybe that should be passed as a parameter from /etc/crypttab rather than hardcoded every time in the script by the user; also I think there should be some checking about smart card/ key identification (maybe serial number), however I don't know where to start with, I don't even know if it's currently feasible with the current plymouth/upstart infrastructure.