I have started using a LUKS and librem keys to encrypt/decrypt my personal data. LUKS uses dm-crypt's cryptsetup to manage the process but it is not integrated with usb tokens and smart cards. This page is dedicated to making the process easier.
I am using a USB drive with multiple partitions and manually running shell scripts to mount/umount the encrypted data on a LUKS partition. In addition, I am backing up my data to a cloud based backup service.
To enable use of LUKS and the Librem Key for my USB drive I split the USB into partitions:
vfat/ext/whatever partition labeled as 'keys'
LUKS container
other (small bootable Linux etc)
I follow the recommended procedures for using a smart card with LUKS which generates a secured private key that can be stored in the clear on the keys partition. The file is named after the GUID used on the LUKS partition. e.g d5b32e18-3153-4c8b-92ce-3e7c10ae2c86.pkcs1
The keys partition also stores the public key used on the smart card as pubkey.asc. This is for convenience so that the public key can easily be imported into another system with gpg --import pubkey.asc.
To automate mount/unmount I created bash scripts which I will eventually post here. In addition, I also create some folders and symlinks in my home folders on each system I use.
cryptsetup does not know anything about smart cards or storing keys in a smart card friendly format
systemd ignores keyscript in crypttab. (keyscript is a debian specific extension for auto mounting LUKS+smart cards)
My personal goal is to enable tighter integration between cryptsetup and smart cards (e.g. Librem Key). In discussions on the dm-crypt mailing list I have come to the conclusion that the dm-crypt project likes the idea of integration as long as it does not put the burden of maintaining more code into the cryptsetup code. There is a plugin system which is now available for this. I plan to write a plugin which will pull the smartcard protected key from the LUKS2 header on the encrypted drive.
Methods to use a smart card with LUKS is documented online. Here are some examples:
good explanation of luks and smart card https://randomoracle.wordpress.com/2015/12/21/getting-by-without-passwords-disk-encryption-part-iii/
example of yubikey used with LUKS https://www.freedesktop.org/software/systemd/man/crypttab.html
Librem Key https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html
encypt LUKS with smartcard https://blog.g3rt.nl/luks-smartcard-or-token.html
LUKS smartcard with encrypted root https://github.com/swoopla/smartcard-luks
There is the possibility to write data needed to decrypt the LUKS2 container into the LUKS2 header. The LUKS 2 spec defines a clear text JSON section in the header. The gpg secured private key that is decrypted by the smart card can be stored in the JSON section. This feature is coded into my fork of cryptsetup but not yet integrated into JTPV. I would prefer that the C plugin version gets done first.
Here are other related links
JT's bash implementation of smartcard+LUKS integration
LUKs2 man page. there is a section on 'token' http://man7.org/linux/man-pages/man8/cryptsetup.8.html
presentation that suggest that the token could hold smartcard related info https://archive.fosdem.org/2018/schedule/event/cryptsetup/attachments/slides/2506/export/events/attachments/cryptsetup/slides/2506/fosdem18_cryptsetup_aead.pdf
milan plans to write an article about tokens in luks headers https://marc.info/?l=dm-crypt&m=157235464607551&w=2
I am using the Librem Key from Purism for the smart card in my setup. I also have a few laptops running Ubuntu based distros such as Kubuntu and PureOS. The key is working well enough.
https://puri.sm/posts/introducing-the-librem-key/
Docs https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html
FIDO 2 specs https://fidoalliance.org/specifications/download/