Debian/Ubuntu support

README.md

@@ -5,9 +5,9 @@ This project leverages a [YubiKey](https://wiki.archlinux.org/index.php/Yubikey)
 Be aware that this was only tested and intended for:
 
 * [Arch Linux](https://www.archlinux.org/) and its derivatives
+* [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems
 * [YubiKey (version 4 or later)](https://www.yubico.com/products/yubikey-5-overview/)
 
-There is similar project targeting [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems: [yubikey-luks](https://github.com/cornelinux/yubikey-luks)
 
 Table of Contents
 =================
@@ -80,31 +80,42 @@ Keep in mind that the above doesn't protect you from physical tampering like *ev
 
 # Install
 
-## From Arch Linux official repository
+## Arch Linux
+### From Arch Linux official repository
 
 The easiest way is to install package from [official Arch Linux repository](https://www.archlinux.org/packages/community/any/yubikey-full-disk-encryption/).
 
 ```
 sudo pacman -Syu yubikey-full-disk-encryption
 ```
 
-## From Github using 'makepkg'
+### From Github using 'makepkg'
 
 ```
-wget https://raw.githubusercontent.com/agherzan/yubikey-full-disk-encryption/master/PKGBUILD
+wget https://raw.githubusercontent.com/agherzan/yubikey-full-disk-encryption/master/packaging/archlinux/PKGBUILD
 makepkg -srci
 ```
 
-## From Github using 'make'
+### From Github using 'make'
 
 ```
 git clone https://github.com/agherzan/yubikey-full-disk-encryption.git
-cd yubikey-full-disk-encryption
+cd yubikey-full-disk-encryption/packaging/archlinux
 sudo make install
 ```
 
 When installing by using `make` you also need to install [yubikey-personalization](https://www.archlinux.org/packages/community/x86_64/yubikey-personalization/) and [expect](https://www.archlinux.org/packages/extra/x86_64/expect/) packages.
 
+## Debian/Ubuntu
+### From Github using 'make'
+```
+git clone https://github.com/agherzan/yubikey-full-disk-encryption.git
+cd yubikey-full-disk-encryption/packaging/debian
+make builddeb NO_SIGN=1
+sudo dpkg -i DEBUILD/ykfde_*_all.deb
+```
+
+
 # Configure
 
 
@@ -212,18 +223,29 @@ To kill a ykfde passphrase for existing *LUKS* encrypted volume you can use [ykf
 ykfde-enroll -d /dev/<device> -s <keyslot_number> -k
 ```
 
-## Enable ykfde initramfs hook
+## Enable ykfde initramfs hook (Arch Linux)
 
 **Warning: It's recommended to have already working [encrypted system setup](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system) with `encrypt` hook and non-ykfde passphrase before starting to use `ykfde` hook with ykfde passphrase to avoid potential misconfigurations.**
 
-Edit `/etc/mkinitcpio.conf` and add the `ykfde` hook before or instead of `encrypt` hook as provided in [example](https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Examples). Adding `ykfde` hook before `encrypt` hook will allow for a safe fallback in case of ykfde misconfiguration. You can remove `encrypt` hook later when you confim that everything is working correctly. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation):
+For Arch Linux and its derivatives, edit `/etc/mkinitcpio.conf` and add the `ykfde` hook before or instead of `encrypt` hook as provided in [example](https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Examples). Adding `ykfde` hook before `encrypt` hook will allow for a safe fallback in case of ykfde misconfiguration. You can remove `encrypt` hook later when you confim that everything is working correctly. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation):
 
 ```
 sudo mkinitcpio -P
 ```
 
 Reboot and test your configuration.
 
+## Update crypttab (Debian/Ubuntu)
+To unlock LUKS encrypted volumes at boot for Debian/Ubuntu systems, you must append `keyscript=/usr/share/ykfde/ykfde-keyscript` to the `/etc/crypttab file`. For example:
+```
+cryptroot /dev/sda none  luks,keyscript=/usr/share/ykfde/ykfde-keyscript
+```
+After changing this file, update the initial RAM file system:
+```
+update-initramfs -u
+```
+
+
 ## Enable NFC support in ykfde initramfs hook (experimental)
 
 **Warning: Currently NFC support is implemented only in initramfs hook. All ykfde manipulations on booted system have to be done through USB.**

packaging/archlinux/Makefile

@@ -0,0 +1,17 @@
+install: reinstall
+	install -v -b -Dm644 ../../src/ykfde.conf "$(DESTDIR)/etc/ykfde.conf"
+
+reinstall:
+	install -Dm644 ../../src/archlinux/hooks/ykfde "$(DESTDIR)/usr/lib/initcpio/hooks/ykfde"
+	install -Dm644 ../../src/archlinux/install/ykfde "$(DESTDIR)/usr/lib/initcpio/install/ykfde"
+	install -Dm755 ../../src/archlinux/ykfde-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/ykfde-suspend"
+	install -Dm755 ../../src/archlinux/initramfs-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/initramfs-suspend"
+	install -Dm644 ../../src/archlinux/ykfde-suspend.service "$(DESTDIR)/usr/lib/systemd/system/ykfde-suspend.service"
+	install -Dm755 ../../src/ykfde-enroll "$(DESTDIR)/usr/bin/ykfde-enroll"
+	install -Dm755 ../../src/ykfde-format "$(DESTDIR)/usr/bin/ykfde-format"
+	install -Dm755 ../../src/ykfde-open "$(DESTDIR)/usr/bin/ykfde-open"
+	install -Dm644 ../../README.md "$(DESTDIR)/usr/share/doc/ykfde/README.md"
+test:
+	../../src/testrun.sh
+
+all: install

PKGBUILD → packaging/archlinux/PKGBUILD

@@ -1,6 +1,6 @@
 pkgname=yubikey-full-disk-encryption-git
 _pkgname=yubikey-full-disk-encryption
-pkgver=r136.4d8ba6a
+pkgver=r155.dcaac00
 pkgrel=1
 pkgdesc='Use YubiKey to unlock a LUKS partition'
 arch=('any')

packaging/debian/Makefile

@@ -0,0 +1,27 @@
+info:
+	@echo "builddeb [NO_SIGN=1]  - build deb package for Ubuntu LTS [NO_SIGN disables signing]"
+	@echo "clean                 - clean build directory DEBUILD"
+
+VERSION=0.1
+SRC_DIR = ykfde-${VERSION}
+
+debianize:
+	rm -fr DEBUILD
+	mkdir -p DEBUILD/${SRC_DIR}
+	cp -r * DEBUILD/${SRC_DIR} || true
+	cp -r ../../src/ykfde* DEBUILD/${SRC_DIR} || true
+	cp -r ../../src/debian/* DEBUILD/${SRC_DIR} || true
+	cp ../../README.md DEBUILD/${SRC_DIR} || true
+	(cd DEBUILD; tar -zcf ykfde_${VERSION}.orig.tar.gz --exclude=${SRC_DIR}/debian  ${SRC_DIR})
+
+builddeb:
+	make debianize
+ifndef NO_SIGN
+	(cd DEBUILD/${SRC_DIR}; debuild)
+else
+	(cd DEBUILD/${SRC_DIR}; debuild -uc -us)
+endif
+
+clean:
+	rm -fr DEBUILD
+

packaging/debian/debian/changelog

@@ -0,0 +1,5 @@
+ykfde (0.1) UNRELEASED; urgency=medium
+
+  * Added Debian/Ubuntu support
+
+ -- crispy-landslide <[email protected]>  Tue, 11 Jan 2022 21:28:25 -0800

packaging/debian/debian/compat

@@ -0,0 +1 @@
+11

packaging/debian/debian/control

@@ -0,0 +1,16 @@
+Source: ykfde
+Section: admin
+Priority: optional
+Maintainer: Andrei Gherzan <https://github.com/agherzan>
+Build-Depends: debhelper (>= 11), dh-exec
+Standards-Version: 4.1.4
+Homepage: https://github.com/agherzan/yubikey-full-disk-encryption
+
+Package: ykfde
+Architecture: all
+Depends: cryptsetup, initramfs-tools, yubikey-personalization (>= 1.5), udisks2, expect, ${misc:Depends}
+Description: This project leverages a YubiKey HMAC-SHA1 Challenge-Response
+ mode for creating strong LUKS encrypted volume passphrases. 
+ It can be used in intramfs stage during boot process as well as on running system.
+ .
+ Requires Yubikey 4 or newer. 

packaging/debian/debian/copyright

@@ -0,0 +1,7 @@
+Copyright 2017 Andrei Gherzan
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

packaging/debian/debian/rules

@@ -0,0 +1,17 @@
+#! /usr/bin/make -f
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	# nothing to build
+
+override_dh_install:
+	dh_install
+	install -D -o root -g root -m755 hooks/ykfde debian/ykfde/usr/share/initramfs-tools/hooks/ykfde
+	install -D -o root -g root -m755 key-script debian/ykfde/usr/share/ykfde/ykfde-keyscript
+	install -D -o root -g root -m755 ykfde-open debian/ykfde/usr/bin/ykfde-open
+	install -D -o root -g root -m755 ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll
+	install -D -o root -g root -m755 ykfde-format debian/ykfde/usr/bin/ykfde-format	
+	install -D -o root -g root -m644 README.md debian/ykfde/usr/share/doc/ykfde/README.md
+	install -D -o root -g root -m644 ykfde.conf debian/ykfde/etc/ykfde.conf

packaging/debian/debian/ykfde.postinst

@@ -0,0 +1,22 @@
+#! /bin/sh
+
+set -e
+
+case "$1" in
+    configure)
+    if [ -x /usr/sbin/update-initramfs ]; then
+        echo
+        update-initramfs -u
+    fi
+    ;;
+    abort-upgrade|abort-remove|abort-deconfigure)
+
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#

src/debian/hooks/ykfde

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+    echo "$PREREQ"
+}
+
+case $1 in
+    prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /etc/ykfde.conf
+
+copy_exec /usr/bin/ykchalresp
+copy_exec /usr/bin/ykinfo
+copy_exec /usr/bin/sha256sum
+cp /usr/share/ykfde/ykfde-keyscript "${DESTDIR}/sbin/ykfde-keyscript"
+cp /etc/ykfde.conf "${DESTDIR}/etc/ykfde.conf"
+
+exit 0

src/debian/key-script

@@ -0,0 +1,70 @@
+#! /bin/sh
+#
+# This is /sbin/ykfde-keyscript, which gets called when unlocking the disk
+#
+# set defualt values:
+DBG=""
+YKFDE_CONFIG_FILE="/etc/ykfde.conf"
+YKFDE_NFC=""
+YKFDE_DISK_UUID=""
+YKFDE_LUKS_NAME=""
+YKFDE_LUKS_DEV=""
+YKFDE_LUKS_OPTIONS=""
+YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30"
+YKFDE_CRYPTSETUP_TRIALS="5"
+YKFDE_CHALLENGE_SLOT="2"
+YKFDE_CHALLENGE=""
+YKFDE_CHALLENGE_PASSWORD_NEEDED=""
+YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP=""
+YKFDE_USE_PLYMOUTH=""
+
+. /etc/ykfde.conf
+
+if [ -z "$WELCOME_TEXT" ]; then
+    WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase"
+fi
+
+message()
+{
+    if [ -x /bin/plymouth ] && plymouth --ping; then
+        plymouth message --text="$*"
+    else
+        echo "$@" >&2
+    fi
+    return 0
+}
+
+check_yubikey_present="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")"
+
+if [ -z "$YKFDE_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then
+  if [ -z "$cryptkeyscript" ]; then
+      if [ -x /bin/plymouth ] && plymouth --ping; then
+          cryptkeyscript="plymouth ask-for-password --prompt"
+      else
+          cryptkeyscript="/lib/cryptsetup/askpass"
+      fi
+  fi
+  PW="$($cryptkeyscript "$WELCOME_TEXT")"
+else
+  PW="$YKFDE_CHALLENGE"
+fi
+
+if [ "$check_yubikey_present" = "1" ]; then
+    message "Accessing yubikey..."
+    PW=$(printf %s "$PW" | sha256sum | awk '{print $1}')
+    R="$(printf %s "$PW" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- 2>/dev/null || true)"
+    if [ "$R" ]; then
+        message "Retrieved the response from the Yubikey"
+        if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" = "1" ]; then
+            printf '%s' "$PW$R"
+        else
+            printf '%s' "$R"
+        fi
+    else
+        message "Failed to retrieve the response from the Yubikey"
+    fi
+else
+        printf '%s' "$PW"
+fi
+
+exit 0