I wanted to automatize my Mint installation. One major part of my Mint installation is the encryption of the whole disk using a LUKS partition. To be able to unlock my device via my Yubikey I have to run the following line:
yubikey-luks-enroll -d /dev/sda3 -s 7
which you can get by installing sudo apt install yubikey-luks and works just fine. However, running this command using EOF does not work.
When running the above command, I get asked twice to enter my password and afterwards the password of the LUKS partion:
$ sudo yubikey-luks-enroll -d /dev/sda3 -s 7
setting disk to /dev/sda3.
setting slot to 7.
This script will utilize slot 7 on drive /dev/sda3. If this is not what you intended, exit now!
Adding yubikey to initrd
Please enter the yubikey challenge password. This is the password that will only work while your yubikey is installed in your computer:
Please enter the yubikey challenge password again:
Please provide an existing passphrase. This is NOT the passphrase you just entered, this is the passphrase that you currently use to unlock your LUKS encrypted drive:
I though to automatize this step using the following bash script:
read PART
read -s DISKPWD
read -s PWD1
read -s PWD2
sudo yubikey-luks-enroll -d $PART -s 7 <<-EOF
$PWD1
$PWD2
$DISKPWD
EOF
Unfortunately, this only results in the following output:
setting disk to /dev/sda3.
setting slot to 7.
This script will utilize slot 7 on drive /dev/sda3. If this is not what you intended, exit now!
Adding yubikey to initrd
and even worse the terminal get stuck - you can enter stuff but it has no effect. Just CTRL + Z works.
If anybody is wondering, I have to setup multiple Yubikeys with the same credentials that's why I want to automatize the process.
I also tried to run the command in the terminal without EOF, which works fine. Running the command with EOF in the terminal results in the same error as above. When removing the EOF in the Bash file, the command works.
I'm not an experienced Linux user. Maybe it is just a simple mistake. I hope everything is understandable and clear.
Greetings, 133U
yubikey-luks-enroll is a shell script.
To read passwords, it invokes
/lib/cryptsetup/askpass.So you could simply write a modified version, replacing the
askpasscalls.Be careful to handle the plaintext passwords securely.