instructions

README.md

@@ -1,6 +1,58 @@
-# WIP fido2luks
+# fido2luks
 
-This will allow you at some point to unlock your luks encrypted disk with an fido2 compatable key
+This will allow you to unlock your luks encrypted disk with an fido2 compatable key
 
-## TODO:
- - Figure out how to unlock the disk during boot/dracut module
+Note: This has only been tested under Fedora 30 using a Solo Key
+
+## Setup
+
+## Device
+
+```
+git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
+
+#Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
+CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path .
+
+echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> fido2luks.conf
+
+set -a
+. fido2luks.conf
+
+#Repeat for each luks volume
+FIDO2LUKS_PASSWORD_HELPER=stdin sudo -E fido2luks addkey /dev/disk/by-uuid/<DISK_UUID>
+
+#Test(only works if the luks container isn't active)
+FIDO2LUKS_PASSWORD_HELPER=stdin sudo -E fido2luks open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
+
+```
+
+## Dracut
+
+```
+cd dracut
+
+sudo make install
+```
+
+## Grub
+
+Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX`
+
+Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks addkey`
+
+```
+grub2-mkconfig > /boot/grub2/grub.cfg
+```
+
+## Test
+
+Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header:
+
+```
+#Recommend in case you lose your authenticator, store this backupfile somewhere safe
+cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
+#Slot should be 0 if you only had one previous password otherwise consult cryptsetup luksDump
+#There is no turning back if you mess this up, make sure you made a backup
+cryptsetup luksKillSlot /dev/disk/by-uuid/<DISK_UUID> <SLOT>
+```