Decrypting Luks FDE using a smartcard
#1
Hi,

since I haven't found a tutorial on how to use a usb smartcard (like f.e. Nitrokey/Librem Keys) to unlock the Luks encrypted volume on a Pinephone, I had a look at it myself and found a way to do it (at least on Mobian).
If someone else wants to try this, I've modified the Luks gpg fde configuration script from Purism (https://source.puri.sm/pureos/packages/s...d-key-luks) to automate the configuration on the PinePhone with Mobian.

Feel free to have a look: https://github.com/sam-m7/smartcard-luks-osk

It works by using a modified version of the gnupg-sc keyscript (/usr/lib/cryptsetup/scripts/decrypt_gnupg-sc). The modified version uses the on-screen keyboard (osk-sdl that is also used for normal fde) and forwards the output to gpg (PIN). After 90 seconds there is a fallback and the keyboard pops up, also if no smartcard was detected. You can then type in a passphrase from a different keyslot (without gpg being called). But there is no feedback (at least not on the screen, a little bit on the serial console).

The recognition of the USB Device sometimes takes long. As far as I would say there is a problem with the anx7688 kernel module, because if it doesn't work, this is printed in the serial console (UART adapter) all the time (not only in the initramfs stage):

Code:
anx7688 1-0028: OCM firmware loaded (version 0x2312)
[  160.278615] anx7688 1-0028: timeout waiting for the message queue flush
[  161.258358] anx7688 1-0028: fw loaded after 40 ms

The positive side was, thanks to these messages I found out I needed to add the anx7688 kernel module to the initramfs to make USB work for decryption Big Grin But if someone has an idea on how to fix this, I would be happy to hear it. It's not happening every time, sometimes it works instantly.

I've tested it with a Nitrokey and a USB-A to USB-C adapter on a fresh Mobian eMMC installation with encryption.

I hope this might help someone.
  Reply
#2
This would be good to have in the mobian wiki, and perhaps as a feature request.
https://wiki.mobian-project.org/doku.php...o:security
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)