| 1 | udpkey in Debian |
| 2 | |
| 3 | The =udpkey= program itself is described in a traditional manual page. |
| 4 | It makes few assumptions about the environment in which it's run, so it |
| 5 | needs some work to integrate it with any particular system. |
| 6 | |
| 7 | * Running as a server |
| 8 | |
| 9 | To get =udpkey= to run as a server: |
| 10 | |
| 11 | + Create a user to run the server, e.g., =adduser --system --group |
| 12 | udpkey=. |
| 13 | |
| 14 | + Create =/etc/udpkey/keyring=, and populate it with key fragments and |
| 15 | client public keys as described in the manual. The keyring file |
| 16 | must be readable by the user created above. |
| 17 | |
| 18 | + Create =/etc/default/udpkey=. This must at the very least set |
| 19 | =UDPKEY_DAEMON=yes= if the daemon is to be run at all. I chose port |
| 20 | 59274 arbitrarily; if you want to use a different one, set |
| 21 | =PORT=12345= or whatever. |
| 22 | |
| 23 | * Running as a client in initramfs |
| 24 | |
| 25 | Some simple scripts for integrating =udpkey= with =cryptsetup= are |
| 26 | provided in =/usr/share/doc/udpkey/examples=. See the comments in those |
| 27 | files for details. Here's the brief version. |
| 28 | |
| 29 | + Copy =udpkey.initramfs-hook= into =/etc/initramfs-tools/hooks=. |
| 30 | Install =udpkey.keyscript= somewhere, say =/usr/local/sbin=. |
| 31 | |
| 32 | + Create =/etc/udpkey/keyring= and generate a private key. See the |
| 33 | manual for details of how to do this. Extract the public key and |
| 34 | transport it to the server. |
| 35 | |
| 36 | + Add a line to =/etc/crypttab= of the form |
| 37 | : cvolume /dev/md/encrypted keytag/192.0.2.69:59274 luks,keyscript=/usr/local/sbin/udpkey.keyscript |
| 38 | to =/etc/crypttab=. |
| 39 | |
| 40 | + Generate a key fragment at your chosen server, here 192.0.2.69. |
| 41 | Import the client's public key and grant it access to the key |
| 42 | fragment. |
| 43 | |
| 44 | + Generate a random string of the same length and write it to |
| 45 | =/etc/udpkey/keytag.local=. |
| 46 | |
| 47 | + Run |
| 48 | : udpkey keytag 192.0.2.69:59274 /etc/udpkey/keytag.local | sha256sum |
| 49 | to make sure that everything's actually working. Add the key to |
| 50 | your LUKS superblock. |