this is work to better integrate smartcards with luk2. it was started when luks2 headers were new. There are some other integrations such as the systemd implementation and clevis. The deliverable of this work is https://github.com/jtmoree-github-com/luks-root-smartcard
implement utility to add gpg based data as token in LUKS header (DONE)
implement boot decrypt process using gpg data in token (DONE)
implement boot decrypt process using systemd-pkcs11 without systemd libraries (DONE)
The encrypted root decrypt during boot is the most challenging. The work related to that is detailed at encrypted root.
I am improving integration of smartcards with LUKS. When using a smartcard the user enters a PIN rather than typing a passphrase to decrypt a LUKS container. With LUKS1 this requires storing a key in a file that is decrypted using the smartcard. Luks2 allows us to store the key material inside the luks volume. I am using this technique in multiple workflows.
This model requires that the smartcard protects a key which involves storing the key somewhere. Currently the Linux distros support specifying the key location as part of the decrypt process. This is suboptimal as
the keyfile is not connected to the LUKS container
keyfile could be lost, deleted, overwritten, etc.
keyfile sits on a file system which requires another file system to exist somewhere that is NOT encrypted
decrypt process includes more potential points of failure than necessary
Using LUKS2 we can store the smartcard protected key in the JSON data in the LUKS header of the corresponding container.
do not need a keyfile at mkinitramfs (loose coupling)
boot process does not need a separate file system and keyfile for decrypt (loose coupling)
key information is kept in the container it corresponds to (tight cohesion)
The current implementation uses:
json token features of the LUKS2 header
gpg or pkcs11 smartcard
custom process for setup and decrypt on boot