Add ability to manage keyslots using Yubikey

README.md

@@ -30,7 +30,7 @@ Install the package:
 
     dpkg -i DEBUILD/yubikey-luks_0.*-1_all.deb
 
-Assign a Yubikey to an LUKS slot
+Assign a Yubikey to a LUKS slot
 --------------------------------
 
 You can now assign the Yubikey to a slot using the tool
@@ -110,7 +110,16 @@ Open LUKS container protected with yubikey-luks
 You can open LUKS container protected with yubikey-luks on running system
 
     yubikey-luks-open
+
+
+Remove keyslot using a yubikey protected passphrase
+-----------------------------------------------
+
+You can remove any keyslot using a Yubikey as the existing passphrase
+
+    yubikey-luks-remove -d <device> -s <keyslot>
 
+
 Manage several Yubikeys and Machines
 ------------------------------------
 

debian/rules

@@ -23,3 +23,4 @@ override_dh_install:
 	install -D -o root -g root -m755 yubikey-luks-suspend debian/yubikey-luks/usr/lib/yubikey-luks/yubikey-luks-suspend
 	install -D -o root -g root -m755 initramfs-suspend debian/yubikey-luks/usr/lib/yubikey-luks/initramfs-suspend
 	install -D -o root -g root -m644 yubikey-luks-suspend.service debian/yubikey-luks/lib/systemd/system/yubikey-luks-suspend.service
+	install -D -o root -g root -m755 yubikey-luks-remove debian/yubikey-luks/usr/bin/yubikey-luks-remove

yubikey-luks-enroll

@@ -62,50 +62,91 @@ echo "This script will utilize the YubiKey slot $YUBIKEY_LUKS_SLOT for slot $SLO
 
 if [ "$CLEAR_SLOT" = "1" ]; then
     echo "Killing LUKS slot $SLOT"
-    cryptsetup luksKillSlot "$DISK" "$SLOT"
+    yubikey-luks-remove luksKillSlot "$DISK" "$SLOT"
 fi
 
-echo "Adding yubikey to initrd"
-
-while true ; do
-    if lsusb | grep -iq 'yubico'; then break; fi
-    printf "Please insert a yubikey and press enter."
-    read -r _ <&1
-done
-
-P1=$(/lib/cryptsetup/askpass "Please enter the yubikey challenge password. This is the password that will only work while your yubikey is installed in your computer:")
+P1=$(/lib/cryptsetup/askpass "Please enter the new passphrase or yubikey challenge password. If using a Yubikey, this is the password that will only work while your yubikey is installed in your computer:")
 if [ "$DBG" = "1" ]; then echo "Password: $P1"; fi
 
-P2=$(/lib/cryptsetup/askpass "Please enter the yubikey challenge password again:")
+P2=$(/lib/cryptsetup/askpass "Please enter the new passphrase or yubikey challenge password again:")
 if [ "$DBG" = "1" ]; then echo "Password: $P2"; fi
 
 if [ "$P1" != "$P2" ]; then
     echo "Passwords do not match"
     exit 1
 fi
 
-if [ "$HASH" = "1" ]; then
-    P1=$(printf %s "$P1" | sha256sum | awk '{print $1}')
-    if [ "$DBG" = "1" ]; then echo "Password hash: $P1"; fi
-fi
+read -p "Are you using a Yubikey with this passphrase? [Y/n]  " USE_YUBIKEY1
 
-R="$(printf %s "$P1" | ykchalresp -"$YUBIKEY_LUKS_SLOT" -i- 2>/dev/null || true)"
-if [ "$DBG" = "1" ]; then echo "Yubikey response: $R"; fi
+if [ "$USE_YUBIKEY1" = "y" ] || [ "$USE_YUBIKEY1" = "Y" ]; then
+    while true ; do
+        if lsusb | grep -iq 'yubico'; then break; fi
+        printf "Please insert a yubikey and press enter."
+        read -r _ <&1
+    done
 
-if [ -z "$R" ]; then
-    echo "Yubikey not available or timed out waiting for button press"
-    exit 1
+    if [ "$HASH" = "1" ]; then
+        P1=$(printf %s "$P1" | sha256sum | awk '{print $1}')
+        if [ "$DBG" = "1" ]; then echo "Password hash: $P1"; fi
+    fi
+
+    R1="$(printf %s "$P1" | ykchalresp -"$YUBIKEY_LUKS_SLOT" -i- 2>/dev/null || true)"
+    if [ "$DBG" = "1" ]; then echo "Yubikey response: $R1"; fi
+
+    if [ -z "$R1" ]; then
+        echo "Yubikey not available or timed out waiting for button press"
+        exit 1
+    fi
 fi
 
 OLD=$(/lib/cryptsetup/askpass "Please provide an existing passphrase. This is NOT the passphrase you just entered, this is the passphrase that you currently use to unlock your LUKS encrypted drive:")
-if [ "$DBG" = "1" ]; then echo "Old passphrase: $OLD"; fi
 
-if [ "$CONCATENATE" = "1" ]; then
-    printf '%s\n' "$OLD" "$P1$R" "$P1$R" | cryptsetup --key-slot="$SLOT" luksAddKey "$DISK" 2>&1;
-    if [ "$DBG" = "1" ]; then echo "LUKS key: $P1$R"; fi
+
+read -p "Are you using a Yubikey with this passphrase? [Y/n]  " USE_YUBIKEY2
+
+if [ "$USE_YUBIKEY2" = "y" ] || [ "$USE_YUBIKEY2" = "Y" ]; then
+
+    while true ; do
+        if lsusb | grep -iq 'yubico'; then break; fi
+        printf "Please insert a yubikey and press enter."
+        read -r _ <&1
+    done
+
+    if [ "$HASH" = "1" ]; then
+        OLD=$(printf %s "$OLD" | sha256sum | awk '{print $1}')
+        if [ "$DBG" = "1" ]; then echo "Password hash: $OLD"; fi
+    fi
+
+    R2="$(printf %s "$OLD" | ykchalresp -"$YUBIKEY_LUKS_SLOT" -i- 2>/dev/null || true)"
+    if [ "$DBG" = "1" ]; then echo "Yubikey response: $R2"; fi
+
+    if [ -z "$R2" ]; then
+        echo "Yubikey not available or timed out waiting for button press"
+        exit 1
+    fi
+
+    if [ "$CONCATENATE" = "1" ]; then
+        printf '%s\n' "$OLD$R2" "$P1$R1" "$P1$R1" | cryptsetup --key-slot="$SLOT" luksAddKey "$DISK" 2>&1;
+        if [ "$DBG" = "1" ]; then echo "LUKS key: $P1$R1"; fi
+    else
+        printf '%s\n' "$R2" "$R1" "$R1" | cryptsetup --key-slot="$SLOT" luksAddKey "$DISK" 2>&1;
+        if [ "$DBG" = "1" ]; then echo "LUKS key: $R1"; fi
+    fi
+
 else
-    printf '%s\n' "$OLD" "$R" "$R" | cryptsetup --key-slot="$SLOT" luksAddKey "$DISK" 2>&1;
-    if [ "$DBG" = "1" ]; then echo "LUKS key: $R"; fi
+    if [ "$DBG" = "1" ]; then echo "Old passphrase: $OLD"; fi
+
+    if [ "$CONCATENATE" = "1" ]; then
+        printf '%s\n' "$OLD" "$P1$R1" "$P1$R1" | cryptsetup --key-slot="$SLOT" luksAddKey "$DISK" 2>&1;
+        if [ "$DBG" = "1" ]; then echo "LUKS key: $P1$R1"; fi
+    else
+        printf '%s\n' "$OLD" "$R1" "$R1" | cryptsetup --key-slot="$SLOT" luksAddKey "$DISK" 2>&1;
+        if [ "$DBG" = "1" ]; then echo "LUKS key: $R1"; fi
+    fi
 fi
 
+
+
+
+
 exit 0

yubikey-luks-remove

@@ -0,0 +1,89 @@
+#!/bin/sh
+DISK="/dev/sda3"
+NAME="yubikey-luks"
+DBG=0
+YUBIKEY_LUKS_SLOT=2 #Set this in case the value is missing in /etc/ykluks.cfg
+
+set -e
+. /etc/ykluks.cfg
+
+while getopts ":d:s:hv" opt; do
+    case $opt in
+    d)
+        DISK=$OPTARG
+        echo "setting disk to $OPTARG."
+        ;;
+    s)
+        SLOT=$OPTARG
+        echo "setting keyslot to $OPTARG."
+        ;;
+    v)
+        DBG=1
+        echo "debugging enabled"
+        ;;
+    h)
+        echo
+        echo " -d <partition>: select existing partition"
+        echo " -s <keyslot>  : set the keyslot to remove"
+        echo " -v            : show input/output in cleartext"
+        echo
+        exit 1
+        ;;
+    \?)
+        echo "Invalid option: -$OPTARG" >&2
+        ;;
+    esac
+done
+
+echo "This script will try removing keyslot $SLOT from $NAME LUKS container on drive $DISK . If this is not what you intended, exit now!"
+
+
+P1=$(/lib/cryptsetup/askpass "Enter passphrase:")
+
+read -p "Are you using a Yubikey with this passphrase? [Y/n]  " USE_YUBIKEY
+
+if [ "$USE_YUBIKEY" = "y" ] || [ "$USE_YUBIKEY" = "Y" ]; then
+
+    while true ; do
+        if lsusb | grep -iq 'yubico'; then break; fi
+        printf "Please insert a yubikey and press enter."
+        read -r _ <&1
+    done
+
+
+    if [ "$DBG" = "1" ]; then echo "Password: $P1"; fi
+
+    if [ "$HASH" = "1" ]; then
+        P1=$(printf %s "$P1" | sha256sum | awk '{print $1}')
+        if [ "$DBG" = "1" ]; then echo "Password hash: $P1"; fi
+    fi
+
+    R="$(printf %s "$P1" | ykchalresp -"$YUBIKEY_LUKS_SLOT" -i- 2>/dev/null || true)"
+    if [ "$DBG" = "1" ]; then echo "Yubikey response: $R"; fi
+
+    if [ -z "$R" ]; then
+        echo "Yubikey not available or timed out waiting for button press"
+        exit 1
+    fi
+
+    _passphrase=''
+    if [ "$CONCATENATE" = "1" ]; then
+        _passphrase=$(printf '%s' "$P1$R")
+    else
+        _passphrase=$(printf '%s' "$R")
+    fi
+
+else
+    _passphrase=$P1
+fi
+
+
+if [ "$DBG" = "1" ]; then echo "LUKS key: ${_passphrase}"; fi
+
+if [ "$(id -u)" -eq 0 ]; then
+    printf %s "${_passphrase}" | cryptsetup luksKillSlot "$DISK" "$SLOT" 2>&1;
+else
+    echo "[Error] This script must be run as root"
+fi
+
+exit 0