-
-
Save randomoracle/5922f0f8dc6dfe17b672 to your computer and use it in GitHub Desktop.
Smart-card unlock script for LUKS-encrypted files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -i | |
PATH=$PATH:/usr/bin | |
# Use RAM-disk for temporary storage | |
# Unlike tmpfs, ramfs does not use swap, making it | |
# somewhat more suitable for keeping data off persistent storage. | |
RAMDISK="/crypto/ram" | |
mkdir -p $RAMDISK | |
mount -t ramfs -o size=1m ramfs $RAMDISK | |
chmod -R u=rwx,g=,o= $RAMDISK | |
# Plaintext written to RAM at this location | |
DESTINATION=$RAMDISK/luks_output | |
# Ensure PCSC daemon is running | |
pcscd -d | |
echo "Decrypting LUKS volume with card from $CRYPTTAB_KEY (also $1)" >> /tmp/luks_status | |
# Run pkcs15-crypt on a different terminal | |
openvt -fsw -c 2 -- pkcs15-crypt --decipher --key 01 --input $1 --pkcs -o $DESTINATION 2> /tmp/luks_errors | |
# This is used to unlock the disk | |
cat $DESTINATION | |
# Overwrite and remove copy on ramdisk | |
shred $DESTINATION | |
rm $DESTINATION |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment