3 The =udpkey= program itself is described in a traditional manual page.
4 It makes few assumptions about the environment in which it's run, so it
5 needs some work to integrate it with any particular system.
9 To get =udpkey= to run as a server:
11 + Create a user to run the server, e.g., =adduser --system --group
14 + Create =/etc/udpkey/keyring=, and populate it with key fragments and
15 client public keys as described in the manual. The keyring file
16 must be readable by the user created above.
18 + Create =/etc/default/udpkey=. This must at the very least set
19 =UDPKEY_DAEMON=yes= if the daemon is to be run at all. I chose port
20 59274 arbitrarily; if you want to use a different one, set
21 =PORT=12345= or whatever.
23 * Running as a client in initramfs
25 Some simple scripts for integrating =udpkey= with =cryptsetup= are
26 provided in =/usr/share/doc/udpkey/examples=. See the comments in those
27 files for details. Here's the brief version.
29 + Copy =udpkey.initramfs-hook= into =/etc/initramfs-tools/hooks=.
30 Install =udpkey.keyscript= somewhere, say =/usr/local/sbin=.
32 + Create =/etc/udpkey/keyring= and generate a private key. See the
33 manual for details of how to do this. Extract the public key and
34 transport it to the server.
36 + Add a line to =/etc/crypttab= of the form
37 : cvolume /dev/md/encrypted keytag/192.0.2.69:59274 luks,keyscript=/usr/local/sbin/udpkey.keyscript
40 + Generate a key fragment at your chosen server, here 192.0.2.69.
41 Import the client's public key and grant it access to the key
44 + Generate a random string of the same length and write it to
45 =/etc/udpkey/keytag.local=.
48 : udpkey keytag 192.0.2.69:59274 /etc/udpkey/keytag.local | sha256sum
49 to make sure that everything's actually working. Add the key to
~mdw / udpkey / blob