+- PINE64 (https://forum.pine64.org)
+-- Forum: PinePhone (https://forum.pine64.org/forumdisplay.php?fid=120)
+--- Forum: PinePhone Software (https://forum.pine64.org/forumdisplay.php?fid=121)
+---- Forum: Mobian on PinePhone (https://forum.pine64.org/forumdisplay.php?fid=139)
+---- Thread: Decrypting Luks FDE using a smartcard (/showthread.php?tid=14356)
Decrypting Luks FDE using a smartcard - SuperMonkey - 07-05-2021
Hi,
since I haven't found a tutorial on how to use a usb smartcard (like f.e. Nitrokey/Librem Keys) to unlock the Luks encrypted volume on a Pinephone, I had a look at it myself and found a way to do it (at least on Mobian).
If someone else wants to try this, I've modified the Luks gpg fde configuration script from Purism (https://source.puri.sm/pureos/packages/smartcard-key-luks) to automate the configuration on the PinePhone with Mobian.
Feel free to have a look: https://github.com/sam-m7/smartcard-luks-osk
It works by using a modified version of the gnupg-sc keyscript (/usr/lib/cryptsetup/scripts/decrypt_gnupg-sc). The modified version uses the on-screen keyboard (osk-sdl that is also used for normal fde) and forwards the output to gpg (PIN). After 90 seconds there is a fallback and the keyboard pops up, also if no smartcard was detected. You can then type in a passphrase from a different keyslot (without gpg being called). But there is no feedback (at least not on the screen, a little bit on the serial console).
The recognition of the USB Device sometimes takes long. As far as I would say there is a problem with the anx7688 kernel module, because if it doesn't work, this is printed in the serial console (UART adapter) all the time (not only in the initramfs stage):
Code:
anx7688 1-0028: OCM firmware loaded (version 0x2312)
[ 160.278615] anx7688 1-0028: timeout waiting for the message queue flush
[ 161.258358] anx7688 1-0028: fw loaded after 40 msThe positive side was, thanks to these messages I found out I needed to add the anx7688 kernel module to the initramfs to make USB work for decryption
But if someone has an idea on how to fix this, I would be happy to hear it. It's not happening every time, sometimes it works instantly.I've tested it with a Nitrokey and a USB-A to USB-C adapter on a fresh Mobian eMMC installation with encryption.
I hope this might help someone.
RE: Decrypting Luks FDE using a smartcard - wibble - 07-06-2021
This would be good to have in the mobian wiki, and perhaps as a feature request.
https://wiki.mobian-project.org/doku.php?id=howto:security