shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

update & tidy readme
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
shimun 2020-01-15 16:41:44 +01:00
parent c4e08413c0
commit 7ed948d53b
Signed by: shimun
GPG Key ID: E81D8382DC2F971B
1 changed files with 18 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
README.md
View File

@ -18,12 +18,16 @@ dnf install cargo cryptsetup-devel -y
git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path .
sudo -E cargo install -f --path . --root /usr
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> dracut/96luks-2fa/fido2luks.conf
# Copy template
cp dracut/96luks-2fa/fido2luks.conf /etc/
# Name is optional but useful if your authenticator has a display
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
# Load config into env
set -a
. dracut/96luks-2fa/fido2luks.conf
. /etc/fido2luks.conf
# Repeat for each luks volume
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
@ -45,13 +49,13 @@ sudo make install
Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks add-key`
Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
```
grub2-mkconfig > /boot/grub2/grub.cfg
```
I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system
I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
```
mkdir /boot/fido2luks/
@ -61,7 +65,7 @@ cp /etc/fido2luks.conf /boot/fido2luks/
## Test
Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header:
Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
```
# Recommend in case you lose your authenticator, store this backupfile somewhere safe
@ -74,9 +78,10 @@ fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
### Password less
Remove your previous secret as described in the next section, incase you already added one.
Remove your previous secret as described in the next section, in case you've already added one.
Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
but be warned that this password will be included to into your initramfs.
Import the new config into env:
@ -96,5 +101,5 @@ set -a
. fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
```