usami/fde.sh

## fde.sh
EFI_PART="$1"
LUKS_PART="$2"

EFI_MNT=/root/boot
mkdir "$EFI_MNT"
mkfs.vfat -F 32 -n uefi "$EFI_PART"
mount "$EFI_PART" "$EFI_MNT"

STORAGE=/crypt-storage/default
mkdir -p "$(dirname $EFI_MNT$STORAGE)"

nix-env -i gcc-wrapper
nix-env -i yubikey-personalization
nix-env -i openssl

rbtohex() {
  ( od -An -vtx1 | tr -d ' \n' )
}

hextorb() {
  ( tr '[:lower:]' '[:upper:]' | sed -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf )
}

cc -O3 -I$(find / | grep "openssl/evp\.h" | head -1 | sed -e 's|/openssl/evp\.h$||g' | tr -d '\n') \
   -L$(find / | grep "lib/libcrypto" | head -1 | sed -e 's|/libcrypto\..*$||g' | tr -d '\n') \
   $(find / | grep "pbkdf2-sha512\.c" | head -1 | tr -d '\n') -o ./pbkdf2-sha512 -lcrypto

SALT_LENGTH=16
salt="$(dd if=/dev/random bs=1 count=$SALT_LENGTH 2>/dev/null | rbtohex)"

k_yubi="$(dd if=/dev/random bs=1 count=20 2>/dev/null | rbtohex)"

challenge="$(echo -n $salt | openssl dgst -binary -sha512 | rbtohex)"
response="$(echo -n $challenge | hextorb | openssl dgst -binary -sha1 -mac HMAC -macopt hexkey:$k_yubi | rbtohex)"

KEY_LENGTH=512
ITERATIONS=1000000
k_luks="$(echo | ./pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $response | rbtohex)"

CIPHER=aes-xts-plain64
HASH=sha512
echo -n "$k_luks" | hextorb | cryptsetup luksFormat --cipher="$CIPHER" --key-size="$KEY_LENGTH" --hash="$HASH" --key-file=- "$LUKS_PART"

echo -ne "$salt\n$ITERATIONS" > $EFI_MNT$STORAGE

SLOT=2
ykpersonalize -"$SLOT" -ochal-resp -ochal-hmac -a"$k_yubi"

LUKSROOT=crypted
echo -n "$k_luks" | hextorb | cryptsetup luksOpen --key-file=- "$LUKS_PART" "$LUKSROOT"

umount "$EFI_MNT"


pvcreate "/dev/mapper/$LUKSROOT"

VGNAME=cryptedpool
vgcreate "$VGNAME" "/dev/mapper/$LUKSROOT"

lvcreate -L 24G -n swap "$VGNAME"
FSROOT=root
lvcreate -l 100%FREE -n "$FSROOT" "$VGNAME"

vgchange -ay

mkfs.ext4 -L "$FSROOT" "/dev/$VGNAME/$FSROOT"
mkswap -L swap "/dev/$VGNAME/swap"

mount "/dev/$VGNAME/$FSROOT" /mnt
mkdir /mnt/boot
mount "$EFI_PART" /mnt/boot
swapon "/dev/$VGNAME/swap"
	EFI_PART="$1"
	LUKS_PART="$2"

	EFI_MNT=/root/boot
	mkdir "$EFI_MNT"
	mkfs.vfat -F 32 -n uefi "$EFI_PART"
	mount "$EFI_PART" "$EFI_MNT"

	STORAGE=/crypt-storage/default
	mkdir -p "$(dirname $EFI_MNT$STORAGE)"

	nix-env -i gcc-wrapper
	nix-env -i yubikey-personalization
	nix-env -i openssl

	rbtohex() {
	( od -An -vtx1 \| tr -d ' \n' )
	}

	hextorb() {
	( tr '[:lower:]' '[:upper:]' \| sed -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' \| xargs printf )
	}

	cc -O3 -I$(find / \| grep "openssl/evp\.h" \| head -1 \| sed -e 's\|/openssl/evp\.h$\|\|g' \| tr -d '\n') \
	-L$(find / \| grep "lib/libcrypto" \| head -1 \| sed -e 's\|/libcrypto\..*$\|\|g' \| tr -d '\n') \
	$(find / \| grep "pbkdf2-sha512\.c" \| head -1 \| tr -d '\n') -o ./pbkdf2-sha512 -lcrypto

	SALT_LENGTH=16
	salt="$(dd if=/dev/random bs=1 count=$SALT_LENGTH 2>/dev/null \| rbtohex)"

	k_yubi="$(dd if=/dev/random bs=1 count=20 2>/dev/null \| rbtohex)"

	challenge="$(echo -n $salt \| openssl dgst -binary -sha512 \| rbtohex)"
	response="$(echo -n $challenge \| hextorb \| openssl dgst -binary -sha1 -mac HMAC -macopt hexkey:$k_yubi \| rbtohex)"

	KEY_LENGTH=512
	ITERATIONS=1000000
	k_luks="$(echo \| ./pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $response \| rbtohex)"

	CIPHER=aes-xts-plain64
	HASH=sha512
	echo -n "$k_luks" \| hextorb \| cryptsetup luksFormat --cipher="$CIPHER" --key-size="$KEY_LENGTH" --hash="$HASH" --key-file=- "$LUKS_PART"

	echo -ne "$salt\n$ITERATIONS" > $EFI_MNT$STORAGE

	SLOT=2
	ykpersonalize -"$SLOT" -ochal-resp -ochal-hmac -a"$k_yubi"

	LUKSROOT=crypted
	echo -n "$k_luks" \| hextorb \| cryptsetup luksOpen --key-file=- "$LUKS_PART" "$LUKSROOT"

	umount "$EFI_MNT"


	pvcreate "/dev/mapper/$LUKSROOT"

	VGNAME=cryptedpool
	vgcreate "$VGNAME" "/dev/mapper/$LUKSROOT"

	lvcreate -L 24G -n swap "$VGNAME"
	FSROOT=root
	lvcreate -l 100%FREE -n "$FSROOT" "$VGNAME"

	vgchange -ay

	mkfs.ext4 -L "$FSROOT" "/dev/$VGNAME/$FSROOT"
	mkswap -L swap "/dev/$VGNAME/swap"

	mount "/dev/$VGNAME/$FSROOT" /mnt
	mkdir /mnt/boot
	mount "$EFI_PART" /mnt/boot
	swapon "/dev/$VGNAME/swap"