udpkey in Debian

The =udpkey= program itself is described in a traditional manual page.
It makes few assumptions about the environment in which it's run, so it
needs some work to integrate it with any particular system.

* Running as a server

To get =udpkey= to run as a server:

  + Create a user to run the server, e.g., =adduser --system --group
    udpkey=.

  + Create =/etc/udpkey/keyring=, and populate it with key fragments and
    client public keys as described in the manual.  The keyring file
    must be readable by the user created above.

  + Create =/etc/default/udpkey=.  This must at the very least set
    =UDPKEY_DAEMON=yes= if the daemon is to be run at all.  I chose port
    59274 arbitrarily; if you want to use a different one, set
    =PORT=12345= or whatever.

* Running as a client in initramfs

Some simple scripts for integrating =udpkey= with =cryptsetup= are
provided in =/usr/share/doc/udpkey/examples=.  See the comments in those
files for details.  Here's the brief version.

  + Copy =udpkey.initramfs-hook= into =/etc/initramfs-tools/hooks=.
    Install =udpkey.keyscript= somewhere, say =/usr/local/sbin=.

  + Create =/etc/udpkey/keyring= and generate a private key.  See the
    manual for details of how to do this.  Extract the public key and
    transport it to the server.

  + Add a line to =/etc/crypttab= of the form
    : cvolume    /dev/md/encrypted   keytag/192.0.2.69:59274   luks,keyscript=/usr/local/sbin/udpkey.keyscript
    to =/etc/crypttab=.

  + Generate a key fragment at your chosen server, here 192.0.2.69.
    Import the client's public key and grant it access to the key
    fragment.

  + Generate a random string of the same length and write it to
    =/etc/udpkey/keytag.local=.

  + Run
    : udpkey keytag 192.0.2.69:59274 /etc/udpkey/keytag.local | sha256sum
    to make sure that everything's actually working.  Add the key to
    your LUKS superblock.