Commit | Line | Data |
---|---|---|
247f344a MW |
1 | udpkey in Debian |
2 | ||
3 | The =udpkey= program itself is described in a traditional manual page. | |
4 | It makes few assumptions about the environment in which it's run, so it | |
5 | needs some work to integrate it with any particular system. | |
6 | ||
7 | * Running as a server | |
8 | ||
9 | To get =udpkey= to run as a server: | |
10 | ||
11 | + Create a user to run the server, e.g., =adduser --system --group | |
12 | udpkey=. | |
13 | ||
14 | + Create =/etc/udpkey/keyring=, and populate it with key fragments and | |
15 | client public keys as described in the manual. The keyring file | |
16 | must be readable by the user created above. | |
17 | ||
18 | + Create =/etc/default/udpkey=. This must at the very least set | |
19 | =UDPKEY_DAEMON=yes= if the daemon is to be run at all. I chose port | |
20 | 59274 arbitrarily; if you want to use a different one, set | |
21 | =PORT=12345= or whatever. | |
22 | ||
23 | * Running as a client in initramfs | |
24 | ||
25 | Some simple scripts for integrating =udpkey= with =cryptsetup= are | |
26 | provided in =/usr/share/doc/udpkey/examples=. See the comments in those | |
27 | files for details. Here's the brief version. | |
28 | ||
29 | + Copy =udpkey.initramfs-hook= into =/etc/initramfs-tools/hooks=. | |
30 | Install =udpkey.keyscript= somewhere, say =/usr/local/sbin=. | |
31 | ||
32 | + Create =/etc/udpkey/keyring= and generate a private key. See the | |
33 | manual for details of how to do this. Extract the public key and | |
34 | transport it to the server. | |
35 | ||
36 | + Add a line to =/etc/crypttab= of the form | |
37 | : cvolume /dev/md/encrypted keytag/192.0.2.69:59274 luks,keyscript=/usr/local/sbin/udpkey.keyscript | |
38 | to =/etc/crypttab=. | |
39 | ||
40 | + Generate a key fragment at your chosen server, here 192.0.2.69. | |
41 | Import the client's public key and grant it access to the key | |
42 | fragment. | |
43 | ||
44 | + Generate a random string of the same length and write it to | |
45 | =/etc/udpkey/keytag.local=. | |
46 | ||
47 | + Run | |
48 | : udpkey keytag 192.0.2.69:59274 /etc/udpkey/keytag.local | sha256sum | |
49 | to make sure that everything's actually working. Add the key to | |
50 | your LUKS superblock. |