1# SPDX-License-Identifier: CC0-1.0 2 3# Destroy any old key on the Yubikey (careful!) 4ykman piv reset 5 6# Generate a new private/public key pair on the device, store the public key in 7# 'pubkey.pem'. 8ykman piv generate-key -a RSA2048 9d pubkey.pem 9 10# Create a self-signed certificate from this public key, and store it on the 11# device. The "subject" should be an arbitrary user-chosen string to identify 12# the token with. 13ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem 14 15# We don't need the public key anymore, let's remove it. Since it is not 16# security sensitive we just do a regular "rm" here. 17rm pubkey.pem 18 19# Enroll the freshly initialized security token in the LUKS2 volume. Replace 20# /dev/sdXn by the partition to use (e.g. /dev/sda1). 21sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn 22 23# Test: Let's run systemd-cryptsetup to test if this all worked. 24sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto 25 26# If that worked, let's now add the same line persistently to /etc/crypttab, 27# for the future. 28sudo bash -c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >> /etc/crypttab' 29