scavara/gist:391037bb6a01c006143f3d3c1676bd32

## gistfile1.txt
#! /bin/sh
#
# This is /usr/share/yubikey-luks/ykluks-keyscript, which gets called when unlocking the disk
# 1. apt-get install yubikey-luks
# 2. program the second slot of the Yubikey with a HMAC-SHA1 configuration.
#    ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
# 3. find which encrypted disk part you want to use. Ex:
# cat /etc/crypttab
# nvme0n1p3_crypt UUID=XXXXXXXXXXXXXXXX none luks,keyscript=/usr/share/yubikey-luks/ykluks-keyscript,discard
# use /dev/nvme0n1p3
# 4. enroll
# yubikey-luks-enroll -d /dev/nvme0n1p3 -s 7 -v (use -c if you want to clean the slot)
# 5. configure YUBIKEY_CHALLENGE in /etc/ykluks.cfg with challange that you just set
# (perhaps check the perms for this file and change them if needed: chmod o-r /etc/ykluks.cfg
# 6. update-initramfs -u

. /etc/ykluks.cfg

if [ -z "$WELCOME_TEXT" ]; then
    WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase"
fi

message()
{
    if [ -x /bin/plymouth ] && plymouth --ping; then
        plymouth message --text="$*"
    else
        echo "$@" >&2
    fi
    return 0
}

check_yubikey_present="$(ykinfo -q -2)"

# source for log_*_msg() functions, see LP: #272301
if [ -e /scripts/functions ] ; then
        . /scripts/functions
else
        . /usr/share/initramfs-tools/scripts/functions
fi

if [ -z "$YUBIKEY_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then
  if [ -z "$cryptkeyscript" ]; then
      if [ -x /bin/plymouth ] && plymouth --ping; then
          cryptkeyscript="plymouth ask-for-password --prompt"
      else
          cryptkeyscript="/lib/cryptsetup/askpass"
      fi
  fi
  PW="$($cryptkeyscript "$WELCOME_TEXT")"
else
  PW="$YUBIKEY_CHALLENGE"
fi

if [ "$check_yubikey_present" = "1" ]; then
        message "Accessing yubikey..."
        if [ "$HASH" = "1" ]; then
                PW=$(printf %s "$PW" | sha256sum | awk '{print $1}')
        fi
    R="$(printf %s "$PW" | ykchalresp -2 -i- 2>/dev/null || true)"
        message "Retrieved the response from the Yubikey"
        if [ "$CONCATENATE" = "1" ]; then
                printf '%s' "$PW$R"
        else
                printf '%s' "$R"
        fi
else
        printf '%s' "$PW"
fi

exit 0
	#! /bin/sh
	#
	# This is /usr/share/yubikey-luks/ykluks-keyscript, which gets called when unlocking the disk
	# 1. apt-get install yubikey-luks
	# 2. program the second slot of the Yubikey with a HMAC-SHA1 configuration.
	# ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
	# 3. find which encrypted disk part you want to use. Ex:
	# cat /etc/crypttab
	# nvme0n1p3_crypt UUID=XXXXXXXXXXXXXXXX none luks,keyscript=/usr/share/yubikey-luks/ykluks-keyscript,discard
	# use /dev/nvme0n1p3
	# 4. enroll
	# yubikey-luks-enroll -d /dev/nvme0n1p3 -s 7 -v (use -c if you want to clean the slot)
	# 5. configure YUBIKEY_CHALLENGE in /etc/ykluks.cfg with challange that you just set
	# (perhaps check the perms for this file and change them if needed: chmod o-r /etc/ykluks.cfg
	# 6. update-initramfs -u

	. /etc/ykluks.cfg

	if [ -z "$WELCOME_TEXT" ]; then
	WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase"
	fi

	message()
	{
	if [ -x /bin/plymouth ] && plymouth --ping; then
	plymouth message --text="$*"
	else
	echo "$@" >&2
	fi
	return 0
	}

	check_yubikey_present="$(ykinfo -q -2)"

	# source for log_*_msg() functions, see LP: #272301
	if [ -e /scripts/functions ] ; then
	. /scripts/functions
	else
	. /usr/share/initramfs-tools/scripts/functions
	fi

	if [ -z "$YUBIKEY_CHALLENGE" ] \|\| [ "$check_yubikey_present" != "1" ] ; then
	if [ -z "$cryptkeyscript" ]; then
	if [ -x /bin/plymouth ] && plymouth --ping; then
	cryptkeyscript="plymouth ask-for-password --prompt"
	else
	cryptkeyscript="/lib/cryptsetup/askpass"
	fi
	fi
	PW="$($cryptkeyscript "$WELCOME_TEXT")"
	else
	PW="$YUBIKEY_CHALLENGE"
	fi

	if [ "$check_yubikey_present" = "1" ]; then
	message "Accessing yubikey..."
	if [ "$HASH" = "1" ]; then
	PW=$(printf %s "$PW" \| sha256sum \| awk '{print $1}')
	fi
	R="$(printf %s "$PW" \| ykchalresp -2 -i- 2>/dev/null \|\| true)"
	message "Retrieved the response from the Yubikey"
	if [ "$CONCATENATE" = "1" ]; then
	printf '%s' "$PW$R"
	else
	printf '%s' "$R"
	fi
	else
	printf '%s' "$PW"
	fi

	exit 0