As Byzantium for Librem5 is coming closer:
Is there an update regarding LUKS with an individual key?
May be also with support for the Smartcard?
3 Likes
i think Byzantium will ship with luks by default at some point. Meanwhile I wrote this tutorial into how to manually enable and use luks encryption. its not an ideal method yet, but good enough to test. it also shows with confidence that sooner than later it will work natively
2 Likes
But there is still the issue left that its not using unique keys, correct?
And no smartcard support for decrypting instead of the password.
thats correct, hence the ânot idealâ method.
at the bottom of the tutorial i hint at two possible methods to generate our own keys, like using the jumpdrive, would be great if someone takes it forward from there. otherwise hoping byzantium will bring native luks very soon!
I also wanted the smartcard feature and found a way to unlock Luks with a smartcard on the PinePhone with Mobian. Although this is not PureOS, both are Debian distros and in general it should work with the Librem 5 too. Iâve modified the script from Purism to automate the configuration. Fell free to have a look at https://github.com/sam-m7/smartcard-luks-osk.
As Iâve only tested it on the PinePhone (donât have my Librem 5 yet) and you might need to add other kernel modules to the initramfs on a Librem 5 I wouldnât recommend to just execute it, if youâre not feeling ok with reinstalling the OS and loosing all the data stored on the phone.
6 Likes
I just reencrypted my LUKS partition and posted the steps in the Tutorial post
3 Likes
I would assume that the following needs to be integrated in the initramfs for your smartcard-luks-osk script in one way or another:
Thats a part from here:
1 Like
If you want to use the smartcard reader of the phone then yes. We might need some other kernel module if we want to use a Librem/Nitro Key or some other OpenGPG USB smartcard connected to the USB-C Port.
I just tested your script on my L5 with my external SmartCardReader
I had to hardcode ROOT_LUKS = âcrypt_rootâ
Then the script run fine when I executed it as root.
I connected my external SmartCardReader already before pressing the power button and I could unlock it. Also when I inserted it some seconds after pressing the power button.
If I enter the wrong key for my smartcard reader the decryption fails and I have to restart my Librem5.
If I just wait without the smartcard reader and enter the wrong LUKS password, I have to wait 90 seconds for my next try.
If I then enter the correct LUKS password it decrypts successful.
Optimization points would be:
1.) ROOT_LUKS should be âcrypt_rootâ for Librem5
Others would just improve the user experience
2.) When it waits for the smartcard it would be good if some hint is displayed.
3.) If the smartcard operation fails, the user should get the option to try it once more.
4.) If no smartcard reader was inserted and the user enters the wrong password, it should get another chance without waiting for a new timeout.
My integrated smartcard reader is not probably working, so I could not test it with it.
1 Like
Hi,
@Hologram
A patch to see a message when it is waiting for the smartcard during boot.
It is for the https://github.com/sam-m7/smartcard-luks-osk/blob/master/files/decrypt_gnupg-sc-osk
--- decrypt_gnupg-sc-osk.orig 2021-10-17 17:58:47.125919486 +0200
+++ decrypt_gnupg-sc-osk 2021-10-17 18:01:42.690929892 +0200
@@ -27,7 +27,6 @@
export SDL_VIDEODRIVER=kmsdrm
-plymouth hide-splash 2>/dev/null
if [ -d "/cryptroot/gnupghome" ]; then
export GNUPGHOME="/cryptroot/gnupghome"
@@ -61,15 +60,18 @@
exit 1
fi
+plymouth message --text "Insert your smartcard..." 2>/dev/null
sc_available=0
time_count=0
while [ $sc_available -ne 1 ]; do
if run_gpg --batch --quiet --no-tty --card-status >/dev/null
then
sc_available=1
+ plymouth hide-splash 2>/dev/null
else
if [ $time_count -gt 90 ]
then
+ plymouth hide-splash 2>/dev/null
echo "Using fallback and just forwarding keyboard output..." >&2
exec /usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf
plymouth show-splash 2>/dev/nullI successfully tested it on my Librem 5 (Byzantium) with my external smartcard reader.
Kind regards,
Christoph
3 Likes
I just discovered your script @Hologram and wanted to say thanks for creating it!
This is because fstab on the L5 PureOS shows the UUID for the root device instead of the /dev/mapper file. I made the following modification to the above script to account for that:
$ diff smartcard-luks-osk smartcard-luks-osk.bak
29,34d28
< case $ROOT_LUKS in
< UUID=*)
< UUID=`echo $ROOT_LUKS | cut -f2 -d '='`
< ROOT_LUKS=`blkid -U $UUID | sed 's/\/dev\/mapper\///'`
< ;;
< esac
So that this section in that script ultimately looks like this:
# Discover the root LUKS device
ROOT_LUKS=`grep -v '^#' /etc/fstab | col | egrep '[[:space:]]+\/[[:space:]]+' | cut -f1 -d ' '| sed 's/\/dev\/mapper\///'`
case $ROOT_LUKS in
UUID=*)
UUID=`echo $ROOT_LUKS | cut -f2 -d '='`
ROOT_LUKS=`blkid -U $UUID | sed 's/\/dev\/mapper\///'`
;;
esac
crypttab_find_entry $ROOT_LUKS
ROOT_DEV=$CRYPTTAB_SOURCE
However in my case Iâm using the internal Librem 5 smartcard reader. When I tried it, I get a flash of the splash screen, then black, then after 90s timeout I get the normal keyboard prompt. I suspect in my case my internal smart card hardware is not being detected but thatâs just a guess right now. I just started testing this today.
2 Likes
Thanks for the feedback @Cc281080 and @Kyle_Rankin. I might find time the next few days/weeks to test the script again and add the changes. Iâve also had the issue with the UUID instead of /dev/mapper using the original script from Purism (https://source.puri.sm/pureos/packages/smartcard-key-luks/-/blob/master/smartcard-key-luks) on my PC/Librem 14 a few months ago. I think it should be changed there too as this can happen on new Debian/PureOS installations.
Itâs a good point. Iâll try to do that later today.
I changed my upstream script but I was also able to get smart card support working! I tried to assemble the necessary changes into this pull request:
I know that since you donât have a Librem 5 you canât test this, but hopefully we can get some folks in the forum to try this out and then if it works we can decide on the best way to roll this in. At the moment Iâm thinking the best way might be to incorporate all of this into my original script so that it can handle both desktop and mobile use cases.
4 Likes