rancher/kcrypt
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt.git synced 2025-07-04 11:07:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

cryptenroll needs the actual password

Browse Source 
Also remove password from the luksdevice once we are finished

Signed-off-by: Itxaka <itxaka@kairos.io>
This commit is contained in:
Itxaka 2023-11-30 11:29:20 +01:00
parent e43da08f2d
commit e73e33b26d
1 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/lib/lock.go
View File

@ -73,9 +73,14 @@ func Luksify(label, version string, tpm bool) (string, error) {
}
if tpm {
// Enroll PCR values as an unlock method
out, err := SH(fmt.Sprintf("systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8+9 %s", part))
args := []string{"--tpm2-device=auto", "--tpm2-pcrs=7+8+9", part}
cmd := exec.Command("systemd-cryptenroll", args...)
cmd.Stdin = strings.NewReader(pass)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err := cmd.Run()
if err != nil {
return "", fmt.Errorf("err: %w, out: %s", err, out)
return "", err
}
}
@ -98,6 +103,14 @@ func Luksify(label, version string, tpm bool) (string, error) {
return "", fmt.Errorf("err: %w", err)
}
if tpm {
// Delete password slot from luks device
out, err := SH(fmt.Sprintf("systemd-cryptenroll --wipe-slot=password %s", part))
if err != nil {
return "", fmt.Errorf("err: %w, out: %s", err, out)
}
}
return configpkg.PartitionToString(b), nil
}