From 7ed948d53bc27689c863944f840c490e0406a473 Mon Sep 17 00:00:00 2001 From: shimun Date: Wed, 15 Jan 2020 16:41:44 +0100 Subject: [PATCH] update & tidy readme --- README.md | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index fe7e03c..689a3ca 100644 --- a/README.md +++ b/README.md @@ -17,18 +17,22 @@ dnf install cargo cryptsetup-devel -y ``` git clone https://github.com/shimunn/fido2luks.git && cd fido2luks -#Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/ -CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path . +# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/ +sudo -E cargo install -f --path . --root /usr -echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> dracut/96luks-2fa/fido2luks.conf +# Copy template +cp dracut/96luks-2fa/fido2luks.conf /etc/ +# Name is optional but useful if your authenticator has a display +echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf +# Load config into env set -a -. dracut/96luks-2fa/fido2luks.conf +. /etc/fido2luks.conf -#Repeat for each luks volume +# Repeat for each luks volume sudo -E fido2luks -i add-key /dev/disk/by-uuid/ -#Test(only works if the luks container isn't active) +# Test(only works if the luks container isn't active) sudo -E fido2luks -i open /dev/disk/by-uuid/ luks- ``` @@ -45,13 +49,13 @@ sudo make install Add `rd.luks.2fa=:` to `GRUB_CMDLINE_LINUX` in /etc/default/grub -Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks add-key` +Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key` ``` grub2-mkconfig > /boot/grub2/grub.cfg ``` -I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system +I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system ``` mkdir /boot/fido2luks/ @@ -61,12 +65,12 @@ cp /etc/fido2luks.conf /boot/fido2luks/ ## Test -Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header: +Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header: ``` -#Recommend in case you lose your authenticator, store this backupfile somewhere safe +# Recommend in case you lose your authenticator, store this backupfile somewhere safe cryptsetup luksHeaderBackup /dev/disk/by-uuid/ --header-backup-file luks_backup_ -#There is no turning back if you mess this up, make sure you made a backup +# There is no turning back if you mess this up, make sure you made a backup fido2luks -i add-key --exclusive /dev/disk/by-uuid/ ``` @@ -74,9 +78,10 @@ fido2luks -i add-key --exclusive /dev/disk/by-uuid/ ### Password less -Remove your previous secret as described in the next section, incase you already added one. +Remove your previous secret as described in the next section, in case you've already added one. Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:` +but be warned that this password will be included to into your initramfs. Import the new config into env: @@ -96,5 +101,5 @@ set -a . fido2luks.conf sudo -E fido2luks -i replace-key /dev/disk/by-uuid/ -sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf +sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf ```