Add Debian guide

[sandrokeil]

Write the Arch Linux guide for Debian. Not sure if it would be identical with the Ubuntu guide #1

[janet75]

The content seems complex but first of all I would shortly explain what
I am actually studing-using. I have a Debian 11 64bit installed and updated,
manually partitioned with Grub in /boot clear-text and / system root
encrypted with LUKS and unlocked after boot with physical USB Token
(modified crypttab and some patches, that compare encrypted public key
in /root with private key in token accessed by pin and I could post txt steps)
I did not created swap partition (because of double passphrase to
unlock and 8Gb ram memory and 250 Gb NVMe and seems enough for home
machine with virtual server guest too).
Motherboard is Asus A320M-K that has secure boot options (other systems
that actually I am not using because of need to understand).
So what I am asking (easier I can maybe reinstall from the beginning,
maybe using debian installer 'standard new users LVM encrypted auto
formatting', also if it does not allow to 'adjust' swap partition space
and it is not exactly what I would like to obtain) is following.
Epass2003 USB Token, is it possible encrypt partitions like using yubikey?
Is it possible to have full encrypted disk (may be with LVM swap partition
or not) through secure boot stored passphrase unlocked at boot directly through
physical usb token (yubikey or other token)? This case avoiding digit password twice
I thank u in advance for yours answers
Best Regards
Gianni Cerato

[sandrokeil]

Please have a look at this chapter. Your boot partition can not be unlocked through a USB token e.g. YubiKey.

I have to provide two passwords for my setup. One password unlocks the boot partition and the second password is for the YubiKey to unlock the encrypted home partition.

[janet75]

Hello Sandro, I reply to the (mailing) list around the world to thank u for the answer. Effectively this procedure makes the system almost 100% secured. Perhaps the only way to broke is to completely delete hard drives (of course physically accessing those) or of course rob token with password(s) previously recorded / filmed So I have not tried yet using my token (to encrypt partitions like with YubiKey) and I would like to know if it is possible. Do not know if Debian installation media allow to manually prepare LVM and /boot encrypted partitions  to install system in, like so, nor using existing prepared disk(s) How wrote, I attach my step by step procedure to studying if u have questions and of course seeking sponsor(s) for new projects  Regards Gianni Cerato      Il giorno mer, 15/12/2021 alle 05.25 -0800, Sandro Keil ha scritto:

Please have a look at this chapter. Your boot partition can not be unlocked through a USB token e.g. YubiKey. I have to provide two passwords for my setup. One password unlocks the boot partition and the second password is for the YubiKey to unlock the encrypted home partition. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

Token simple erase pkcs15-init -E initialize pkcs15-init --create-pkcs15 -p pkcs15+onepin --pin ****** --puk ******* crea chiavi pkcs15-init -G rsa/2048 -i 01 -a 01 -u decrypt --pin ****** system Create a random key file and add it to a LUKS key slot sudo touch /root/rootkey sudo chmod 600 /root/rootkey sudo dd if=/dev/random of=/root/rootkey bs=1 count=245 #change to urandom if you can't wait sudo cryptsetup luksAddKey /dev/nvme0n1p3 /root/rootkey Export the public key from smartcard pkcs15-tool --read-public-key 01 -o public_key_rsa2048.pem Encrypt key file using public key sudo openssl rsautl -encrypt -pubin -inkey public_key_rsa2048.pem -in /root/rootkey -out /root/rootkey.enc sudo rm /root/rootkey Edit crypttab. This change sends the encrypted key file as a param to the keyscript (backup) sudo cp /etc/crypttab /etc/crypttab.bck sudo nano /etc/crypttab This should be of the form: mapped_device_name source_block_device key_file luks,keyscript=decrypt_opensc example sda5_crypt UUID=copy_from_original_crypttab /root/rootkey.enc luks,keyscript=decrypt_opensc Apply patch to cryptopensc hook and regenerate initramfs (file to copy u can contact me) create reader.conf o rename in .d on patch sudo touch /etc/reader.conf sudo chmod 655 /etc/reader.conf (backup cryptopensc) sudo cp /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/orignsc.bck sudo patch /usr/share/initramfs-tools/hooks/cryptopensc < cryptopensc.patch if error 53 sudo cp /usr/sbin/pcscd /sbin/pcscd (backup local-bottom/cryptopensc) sudo cp /usr/share/initramfs-tools/scripts/local-bottom/cryptopensc /usr/share/initramfs-tools/scripts/local-bottom/orignsc.bck sudo patch /usr/share/initramfs-tools/scripts/local-bottom/cryptopensc < local-bottom-cryptopensc.patch sudo update-initramfs -u manage LUKS removing old existing keys (carefully because u have just the token to access system partition)