• HowTos
• eToken_and_LUKS

Howto authenticate using eToken with LUKS and encrypted root

• date: 13.03.2008

• author: CorneliusKoelbel

• <cornelius.koelbel AT lsexperts DOT de>

• used eToken hardware: eTokenNG OTP
• used eToken RTE Version: 4.55.deb

introduction

This is to be seen as a proof of concept. Starting with a kubuntu 7.10 that was installed with the alternate intall CD, i.e. which has an encrypted root filesystem we replace the password of the LUKS with a 256 bit random key that is stored and read from the eToken. Therefore the pkcs11-data tool is used.

A hooks script imports everything (eToken driver, pkcs11-data tool) into a new initial ramfs. As this is a new hook, this should be update proof, i.e. when getting a new kernel the mkinitramfs process will be started a new and your etoken support should be still allright.

Additionally a keyscript, that is set in the /etc/cryptfs will prompt for the eToken PIN and extract it from the eToken and pass it to the LUKS.

required software

You need to get the following software:

• Aladdin Linux RTE 4.55 get it from your reseller or drop us a note

• initramfs-utils get it from your distribution

• pkcs11-data-0.7 by Alan Bar-Lev at http://alon.barlev.googlepages.com/pkcs11-utilities

• LSE-LUKS-HDenc scripts from http://www.lsexperts.de/products_linux_luksetoken.html (see Download)

Putting a cool key to your eToken

The LSE scripts come with an enrollment script

  ./enroll.sh

After having verified the id/name of your eToken you may generate a new key by using

  ./enroll.sh genkey 'Aladdin\x20Ltd\x2E/eToken/0019b840/koelbel' LUKSTOKENLABEL

This will generate a 256 bit random number and store it as a new LUKS passphrase as a private data object with the Application-ID=LUKS and the Label=LUKSTOKENLABEL on your eToken.

Now you need to add this key into an LUKS slot by

   ./enroll.sh addkeypw 'Aladdin\x20Ltd\x2E/eToken/0019b840/koelbel' LUKSTOKENLABEL <device>

This will add the 256 bit random passphrase to a new LUKS slot on your <device>. Please note, that this secret passphrase is handled on /dev/shm internally at this moment, so you might think of a more secure or even assymetric solution.

Before building a new initial ram disk, it is a good idea to backup your old one!

Building a new init ramfs

Add the option keyscript=/usr/local/bin/etoken-keyscript.sh to your /etc/crypttab. It should look simlilar to this:

  sda5_crypt /dev/disk/by-uuid/586384ba-a751-4ac9-bc6a-ab93ef7bfc25 none luks,keyscript=/usr/local/bin/etoken-keyscript.sh

Run a make install in the LSE scripts file. ( I guess there is a small bug ) In fact these files are installed:

  /usr/share/initramfs-tools/scripts/local-top/cryptetoken
  /usr/share/initramfs-tools/hooks/cryptetoken
  /usr/local/bin/etoken-keyscript.sh

Finally the command

  mkinitramfs -o /boot/initrd.img-`uname -r`

Kernel Paramters

The keyscript is looking for a kernel parameter, that holds the label of the data object on your eToken. So you should add a the parameter

  lukslabel=LUKSTOKENLABEL

to your current kernel in /boot/grub/menu.lst and you should add the same in a line before, to ensure that update-grub will add this parameter to newly installed/updated kernels.

Many things to do

I guess there are many things to do. One thing I would like a lot would be a checksum checker in the initscripts within the encrypted partition. This checksum checker could verify if the unprotected /boot partition was modified by some evesdroper.