[packages/opensc.git] / opensc-initramfs-README

openct with cryptsetup and luks in Debian
-----------------------------------------

This is a overview on how you can make use of cryptsetup with your smartcard
device supported by openct. Please make sure that your smartcard reader or token
is supposed to be operated with openct and not with opensc or pcscd. You can get
some information about the supported hardware by openct at the following
homepage:

	<http://www.opensc-project.org/openct/>

This example is based on the ability of openct to store arbitrary data objects
on the smartcard. Note that you therefore have to use openct in version 0.6.12
or newer, any versions before 0.6.12 do not properly support data objects.

Although this use case was done with the Aladdin eToken PRO 32k, an USB crypto
token, this is a generic approach which works the same way with all supported
smartcard devices by openct.

First of all, you should plug in your crypto token into USB or whatever
interface it uses and initalize the reader with the following command (as root):

	# openct-control init

To check if your reader has been detected, you can run:

	# openct-tool list

This should give you a similar result to this:

	0 Aladdin eToken PRO

If you do not see any reader listed, you have a problem and should read again
about the supported hardware on <http://www.opensc-project.org/openct/> and make
sure you have the required support (e.g. USB) compiled into your kernel needed
to connect to your token. If you use a precompiled kernel from Debian,
everything is already built kernelwise and you probably only need to load the
module.

In case you want to erase your previously used smartcard, you can do that by
executing the following command:

	# pkcs15-init --erase-card

To setup the smartcard, you need to do the following:

	# pkcs15-init --create-pkcs15

Caution: You are beeing asked about the 'Security Officer PIN' and the 'User
unblocking PIN'. Although both of these pins are optional and can be left empty,
you should never do this: In case the personal user pin is typed wrong for a
given number (mostly three times), the smartcard is locked and can only be
unlocked with the user unblocking pin. If you even mistype the user unblocking
pin for a given number (mostly three times), the smartcard is locked and can
only be unlocked with the security officer pin, which is the most superior pin
in this hierarchy. With an unset (empty) security officer pin or user unblocking
pin, depending on the smartcard, an attacker can have unlimited tries to crack
your personal user pin, or, an attacker can simply make the smarcard unusable as
it cannot be unlocked anymore at all.

To create a new identity on the smartcard, do the following:

	# pkcs15-init --store-pin --auth-id 01 --label "Daniel Baumann"

If you have already one or more identities, you certainly want to bump the
auth-id here, and normally, the label used to describe the identify is the
persons first and last name.

As we want to use the smartcard with luks, we first need to get some random
data:

	# dd if=/dev/random of=data.txt bs=1 count=32

And we store that random data as a data object to the private section of the
smartcard with:

	# pkcs15-init --store-data data.txt --auth-id 01

As of the time of writing, openct version 0.6.12 is available and does not
support labeling different data objects. Once this gets fixed in openct
upstream, you can store multiple data objects to the smartcard (create them by
appending '--label foo' to the above command and replace foo with the label you
want to use).

Then, read the random data from the smartcard in order...

	# pkcs15-tool --read-data-object pkcs15-init -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1
	# pkcs15-tool --read-data-object pkcs15-init -o key.txt 1>/dev/null 2>&1

...to import that output to luks as a valid key (assumed that /dev/sda5 is your
encrypted partition):

	# cryptsetup luksAddKey /dev/sda5 key.txt

To tell cryptsetup to let you authenticate with the openct backend, you need to
pass the respective decrypt script to it as a parameter in /etc/crypttab
(assumed that /dev/sda5 is your encrypted partition):

	sda5_crypt /dev/sda5 none luks,keyscript=/lib/cryptsetup/scripts/decrypt_openct

At the moment all data objects have the same label 'pkcs15-init'. Once openct
supports labeling data objects, you can pass the respective label to openct with
the key parameter in /etc/crypttab like this:

	sda5_crypt /dev/sda5 none luks,keyscript=/lib/cryptsetup/scripts/decrypt_openct,key=foo

For the time beeing, 'pkcs15-init' is passed to openct when no key is specified.

Don't forget to backup key.txt to a save place and remove the temporary files
afterwards:

	# shred -uz key.txt data.txt

Caution: cryptsetup as of version 1.0.5-1 does not support fallback to passphrase
if smartcard authentification fails (bee it three times wrong pin or not
compatible/not detected smartcard reader). That means, that for testing
purposes, it is recommended to keep an initrd image in /boot available which
does *not* use openct or opensc for authentification, so that you can change
your bootloader configuration on the fly if something does not work out as
expected. Therefore, copy your current initrd (the .bak backups from
initramfs-tools can maybe get overwritten by update-initramfs during the setup
of openct, so it is better to be on the save side):

	# cp /boot/initrd.img-`uname -r` /boot/initrd.img-`uname -r`.temp

If you have completed all the steps upto now, you can update your initramfs
image with:

	# update-initramfs -u -k `uname -r`

and reboot your machine.

 -- Daniel Baumann <baumann@swiss-it.ch>  Wed, 22 Aug 2007 10:36:00 +0200
Commit	Line	Data
	1	openct with cryptsetup and luks in Debian
	2	-----------------------------------------
	3
	4	This is a overview on how you can make use of cryptsetup with your smartcard
	5	device supported by openct. Please make sure that your smartcard reader or token
	6	is supposed to be operated with openct and not with opensc or pcscd. You can get
	7	some information about the supported hardware by openct at the following
	8	homepage:
	9
	10	<http://www.opensc-project.org/openct/>
	11
	12	This example is based on the ability of openct to store arbitrary data objects
	13	on the smartcard. Note that you therefore have to use openct in version 0.6.12
	14	or newer, any versions before 0.6.12 do not properly support data objects.
	15
	16	Although this use case was done with the Aladdin eToken PRO 32k, an USB crypto
	17	token, this is a generic approach which works the same way with all supported
	18	smartcard devices by openct.
	19
	20	First of all, you should plug in your crypto token into USB or whatever
	21	interface it uses and initalize the reader with the following command (as root):
	22
	23	# openct-control init
	24
	25	To check if your reader has been detected, you can run:
	26
	27	# openct-tool list
	28
	29	This should give you a similar result to this:
	30
	31	0 Aladdin eToken PRO
	32
	33	If you do not see any reader listed, you have a problem and should read again
	34	about the supported hardware on <http://www.opensc-project.org/openct/> and make
	35	sure you have the required support (e.g. USB) compiled into your kernel needed
	36	to connect to your token. If you use a precompiled kernel from Debian,
	37	everything is already built kernelwise and you probably only need to load the
	38	module.
	39
	40	In case you want to erase your previously used smartcard, you can do that by
	41	executing the following command:
	42
	43	# pkcs15-init --erase-card
	44
	45	To setup the smartcard, you need to do the following:
	46
	47	# pkcs15-init --create-pkcs15
	48
	49	Caution: You are beeing asked about the 'Security Officer PIN' and the 'User
	50	unblocking PIN'. Although both of these pins are optional and can be left empty,
	51	you should never do this: In case the personal user pin is typed wrong for a
	52	given number (mostly three times), the smartcard is locked and can only be
	53	unlocked with the user unblocking pin. If you even mistype the user unblocking
	54	pin for a given number (mostly three times), the smartcard is locked and can
	55	only be unlocked with the security officer pin, which is the most superior pin
	56	in this hierarchy. With an unset (empty) security officer pin or user unblocking
	57	pin, depending on the smartcard, an attacker can have unlimited tries to crack
	58	your personal user pin, or, an attacker can simply make the smarcard unusable as
	59	it cannot be unlocked anymore at all.
	60
	61	To create a new identity on the smartcard, do the following:
	62
	63	# pkcs15-init --store-pin --auth-id 01 --label "Daniel Baumann"
	64
	65	If you have already one or more identities, you certainly want to bump the
	66	auth-id here, and normally, the label used to describe the identify is the
	67	persons first and last name.
	68
	69	As we want to use the smartcard with luks, we first need to get some random
	70	data:
	71
	72	# dd if=/dev/random of=data.txt bs=1 count=32
	73
	74	And we store that random data as a data object to the private section of the
	75	smartcard with:
	76
	77	# pkcs15-init --store-data data.txt --auth-id 01
	78
	79	As of the time of writing, openct version 0.6.12 is available and does not
	80	support labeling different data objects. Once this gets fixed in openct
	81	upstream, you can store multiple data objects to the smartcard (create them by
	82	appending '--label foo' to the above command and replace foo with the label you
	83	want to use).
	84
	85	Then, read the random data from the smartcard in order...
	86
	87	# pkcs15-tool --read-data-object pkcs15-init -o /proc/self/fd/3 3>&1 1>/dev/null 2>&1
	88	# pkcs15-tool --read-data-object pkcs15-init -o key.txt 1>/dev/null 2>&1
	89
	90	...to import that output to luks as a valid key (assumed that /dev/sda5 is your
	91	encrypted partition):
	92
	93	# cryptsetup luksAddKey /dev/sda5 key.txt
	94
	95	To tell cryptsetup to let you authenticate with the openct backend, you need to
	96	pass the respective decrypt script to it as a parameter in /etc/crypttab
	97	(assumed that /dev/sda5 is your encrypted partition):
	98
	99	sda5_crypt /dev/sda5 none luks,keyscript=/lib/cryptsetup/scripts/decrypt_openct
	100
	101	At the moment all data objects have the same label 'pkcs15-init'. Once openct
	102	supports labeling data objects, you can pass the respective label to openct with
	103	the key parameter in /etc/crypttab like this:
	104
	105	sda5_crypt /dev/sda5 none luks,keyscript=/lib/cryptsetup/scripts/decrypt_openct,key=foo
	106
	107	For the time beeing, 'pkcs15-init' is passed to openct when no key is specified.
	108
	109	Don't forget to backup key.txt to a save place and remove the temporary files
	110	afterwards:
	111
	112	# shred -uz key.txt data.txt
	113
	114	Caution: cryptsetup as of version 1.0.5-1 does not support fallback to passphrase
	115	if smartcard authentification fails (bee it three times wrong pin or not
	116	compatible/not detected smartcard reader). That means, that for testing
	117	purposes, it is recommended to keep an initrd image in /boot available which
	118	does not use openct or opensc for authentification, so that you can change
	119	your bootloader configuration on the fly if something does not work out as
	120	expected. Therefore, copy your current initrd (the .bak backups from
	121	initramfs-tools can maybe get overwritten by update-initramfs during the setup
	122	of openct, so it is better to be on the save side):
	123
	124	# cp /boot/initrd.img-`uname -r` /boot/initrd.img-`uname -r`.temp
	125
	126	If you have completed all the steps upto now, you can update your initramfs
	127	image with:
	128
	129	# update-initramfs -u -k `uname -r`
	130
	131	and reboot your machine.
	132
	133	-- Daniel Baumann <baumann@swiss-it.ch> Wed, 22 Aug 2007 10:36:00 +0200