Skip to content

Instantly share code, notes, and snippets.

@randomoracle
Last active Nov 18, 2021
Embed
What would you like to do?
Smart-card unlock script for LUKS-encrypted files
#!/bin/bash -i
PATH=$PATH:/usr/bin
# Use RAM-disk for temporary storage
# Unlike tmpfs, ramfs does not use swap, making it
# somewhat more suitable for keeping data off persistent storage.
RAMDISK="/crypto/ram"
mkdir -p $RAMDISK
mount -t ramfs -o size=1m ramfs $RAMDISK
chmod -R u=rwx,g=,o= $RAMDISK
# Plaintext written to RAM at this location
DESTINATION=$RAMDISK/luks_output
# Ensure PCSC daemon is running
pcscd -d
echo "Decrypting LUKS volume with card from $CRYPTTAB_KEY (also $1)" >> /tmp/luks_status
# Run pkcs15-crypt on a different terminal
openvt -fsw -c 2 -- pkcs15-crypt --decipher --key 01 --input $1 --pkcs -o $DESTINATION 2> /tmp/luks_errors
# This is used to unlock the disk
cat $DESTINATION
# Overwrite and remove copy on ramdisk
shred $DESTINATION
rm $DESTINATION
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment