0

I wanted to automatize my Mint installation. One major part of my Mint installation is the encryption of the whole disk using a LUKS partition. To be able to unlock my device via my Yubikey I have to run the following line:

yubikey-luks-enroll -d /dev/sda3 -s 7

which you can get by installing sudo apt install yubikey-luks and works just fine. However, running this command using EOF does not work.

When running the above command, I get asked twice to enter my password and afterwards the password of the LUKS partion:

$ sudo yubikey-luks-enroll -d /dev/sda3 -s 7
setting disk to /dev/sda3.
setting slot to 7.
This script will utilize slot 7 on drive /dev/sda3.  If this is not what you intended, exit now!
Adding yubikey to initrd
Please enter the yubikey challenge password. This is the password that will only work while your yubikey is installed in your computer:
Please enter the yubikey challenge password again:
Please provide an existing passphrase. This is NOT the passphrase you just entered, this is the passphrase that you currently use to unlock your LUKS encrypted drive:

I though to automatize this step using the following bash script:

read PART
read -s DISKPWD
read -s PWD1
read -s PWD2

sudo yubikey-luks-enroll -d $PART -s 7 <<-EOF
$PWD1
$PWD2
$DISKPWD
EOF

Unfortunately, this only results in the following output:

setting disk to /dev/sda3.
setting slot to 7.
This script will utilize slot 7 on drive /dev/sda3.  If this is not what you intended, exit now!
Adding yubikey to initrd

and even worse the terminal get stuck - you can enter stuff but it has no effect. Just CTRL + Z works.

If anybody is wondering, I have to setup multiple Yubikeys with the same credentials that's why I want to automatize the process.

I also tried to run the command in the terminal without EOF, which works fine. Running the command with EOF in the terminal results in the same error as above. When removing the EOF in the Bash file, the command works.

I'm not an experienced Linux user. Maybe it is just a simple mistake. I hope everything is understandable and clear.

Greetings, 133U

133U
  • 1
  • 1
  • 2
    Welcome to StackOverflow! This question would likely be better suited for [SuperUser](https://superuser.com/), or possibly [Unix and Linux SE](https://unix.stackexchange.com/) or [Server Fault](https://serverfault.com/). StackOverflow is for specific programming questions, while this is more of a using `yubikey-luks-enroll` question. Great question otherwise! – Brian61354270 Jan 05 '23 at 21:51
  • 1
    Why is asking for data via `read` and passing to the program more automated than the program just asking directly? – jhnc Jan 05 '23 at 23:34
  • 1
    I suspect that `yubikey-luks-enroll` is reading directly from the terminal, rather than from standard input. Check its documentation (and/or source code). BTW, what you're calling "EOF" is properly called a ["here-document"](https://www.gnu.org/software/bash/manual/bash.html#Here-Documents); "EOF" is just an arbitrary delimiter. – Gordon Davisson Jan 06 '23 at 04:53
  • This will sound stupid, but have you tried "< – Eric Marceau Jan 08 '23 at 02:45
  • Hey thank you for all your answers! As Brian pointed out, I will switch to SuperUser (https://superuser.com/questions/1761885/bash-installer-script-appears-to-not-accept-eof-input-and-instead-gets-stuck). In the mean time, I found out that other installers like the Anaconda installer behave the same. So maybe Gordon is right. Is there a workaround to enter input to the terminal instead of the std-in? I guess this depends on the terminal? I use the std terminal in mint. Without the "-" in front of EOF it didn't work but thank you for the suggestion :) – 133U Jan 09 '23 at 11:03
  • @jhnc I have to run the command multiple times with the same credential to make copies of the key. So I thought it would be nice to automate this. I guess it's not really necessary to to do but a nice-to-have and still interesting why it does not work :) – 133U Jan 09 '23 at 11:06

1 Answers1

0

yubikey-luks-enroll is a shell script.

To read passwords, it invokes /lib/cryptsetup/askpass.

So you could simply write a modified version, replacing the askpass calls.

Be careful to handle the plaintext passwords securely.

jhnc
  • 11,310
  • 1
  • 9
  • 26