You are not logged in.
I have been using an encrypted home directory unlocked via passphrase for some years, and want to "upgrade" to a PKCS#11 token as described in [1].
I have ccid and opensc installed as described in [2]. I enabled pcscd.socket and pcscd.service.
Loading the key and certificate onto the device, and systemd-cryptenroll'ing the key works as described in [1].
For testing, I tried
/usr/lib/systemd/systemd-cryptsetup attach cryptmap ./img.img - pkcs11-uri=autowhere ./img.img is a luks-encrypted image file, and it works. I also tried the following on the already openend home partition /dev/sda3 (this is the one I use in production), and it also works:
cryptsetup --test-passphrase --token-only luksOpen /dev/sda3However, when I add the pkcs11-uri=auto flag in /etc/crypttab, it hangs:
[root@archlinux trash]# journalctl --no-pager -b-1 -u systemd-cryptsetup@nameofmap
Jan 31 17:42:37 archlinux systemd[1]: Starting Cryptography Setup for nameofmap...
Jan 31 17:42:37 archlinux systemd-cryptsetup[491]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/nameofuuid.
Jan 31 17:42:37 archlinux systemd-cryptsetup[491]: Security token (null) not present for unlocking volume primary (nameofmap) on /home, please plug it in.
Jan 31 17:43:08 archlinux systemd-cryptsetup[491]: Timed out waiting for security device, aborting security device based authentication attempt.
Jan 31 17:43:08 archlinux systemd-cryptsetup[491]: Failed to query password: Timer expired
Jan 31 17:43:08 archlinux systemd[1]: systemd-cryptsetup@nameofmap.service: Main process exited, code=exited, status=1/FAILURE
Jan 31 17:43:08 archlinux systemd[1]: systemd-cryptsetup@nameofmap.service: Failed with result 'exit-code'.
Jan 31 17:43:08 archlinux systemd[1]: Failed to start Cryptography Setup for nameofmap.When I go into maintenance mode, I see that pcscd.socket is not active. I am a beginner and have very limited understanding of systemd, but I think that sockets are activated after cryptsetup. Could this be the reason the smartcard is not read?
Not sure if this github issue is somewhat related, the poster is talking about "full-disk encryption", and if I undersand correctly, this involves getting binaries into the initramfs. They write:
Actually getting pcscd to run as a service on Arch wasn't a piece of cake.
But I'm not sure if they mean "run before the root-filesystem is unlocked". I don't have an encrypted root-fs, so it should be easier in my case, right? Unfortunately there is currently no prospect of cake for me either.
[1] https://0pointer.net/blog/unlocking-luk … d-248.html
[2] https://wiki.archlinux.org/title/Smartcards
[3] https://github.com/systemd/systemd/issues/24940
Last edited by stri (2023-02-01 10:16:20)
Offline
I think I could solve it myself, in [1] it says
Socket units automatically gain a pair of After= and Requires= dependency on sysinit.target ....
So I tried DefaultDependencies=no in both the pcscd.socket and .service file, and now it works. Note that sysinit has a wants= dependency on cryptsetup.target, and in [2] it says
Target units will automatically complement all configured dependencies of type Wants= or Requires= with dependencies of type After=
I think that explains why it did not work, the ordering was
1) cryptsetup.target
2) sysinit.target
3) pcscd.socket/service
However, now I think I should use a
RequiredBy=cryptsetup.target
in the [Install] section of the pcscd units, and a
Before=Cryptsetup.target
in their [Unit] sections to get the dependency and ordering right.
[1] https://www.freedesktop.org/software/sy … ocket.html
[2] https://www.freedesktop.org/software/sy … arget.html
Offline
Let me know if I should contact the package maintainers of pcscd about this.
Offline