use ubuntu as base image

Added documentation and tweaked readme

.drone.yml

@@ -5,24 +5,24 @@ steps:
  - name: fmt
    image: rust:1.43.0
    commands:
-     -  rustup component add rustfmt
-     -  cargo fmt --all -- --check
+     - rustup component add rustfmt
+     - cargo fmt --all -- --check
  - name: test
-   image: rust:1.43.0
-   commands:
-    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
-    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
-    - cargo test
-
- - name: publish
-   image: rust:1.43.0
+   image: ubuntu:focal
    environment:
+    DEBIAN_FRONTEND: noninteractive
+   commands:
+    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev 
+    - cargo test --locked
+ - name: publish
+   image: ubuntu:focal
+   environment:
+    DEBIAN_FRONTEND: noninteractive
     CARGO_REGISTRY_TOKEN:
      from_secret: cargo_tkn
    commands:
     - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
-    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
+    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev 
     - cargo package --all-features
     - cargo publish --all-features
    when:

Cargo.lock

@@ -377,7 +377,7 @@ dependencies = [
 
 [[package]]
 name = "fido2luks"
-version = "0.2.10"
+version = "0.2.11"
 dependencies = [
  "ctap_hmac",
  "failure",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.10"
+version = "0.2.11"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 

README.md

@@ -1,6 +1,6 @@
 # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
 
-This will allow you to unlock your luks encrypted disk with an fido2 compatible key
+This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
 
 Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
 
@@ -65,7 +65,7 @@ cp /usr/bin/fido2luks /boot/fido2luks/
 cp /etc/fido2luks.conf /boot/fido2luks/
 ```
 
-## Test
+## Testing
 
 Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
 
@@ -96,6 +96,13 @@ set -a
 
 Then add the new secret to each device and update dracut afterwards `dracut -f`
 
+### Multiple keys
+
+Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
+```
+FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
+```
+
 ## Removal
 
 Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub

initramfs-tools/README.md

@@ -1,13 +1,34 @@
 ## Initramfs-tools based systems(Ubuntu and derivatives)
 
-After installation generate your credentials and add keys to your disk as described in the top-level README
-then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
+For easiest installation [download and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases). However it is possible to build from source via the instructions on the main readme.
 
-Example:
-```
-sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
 ```
+sudo -s
 
-But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
+# Insert FIDO key.
+fido2luks credential
+# Tap FIDO key
+# Copy returned string <CREDENTIAL>
+
+nano /etc/fido2luks.conf
+# Insert <CREDENTIAL> 
+# FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL> 
+
+set -a
+. /etc/fido2luks.conf
+fido2luks -i add-key /dev/<LUKS PARTITION>
+# Current password: <Any current LUKS password>
+# Password: <Password used as FIDO challange>
+# Tap FIDO key
+
+nano /etc/crypttab
+# Append to end ",discard,initramfs,keyscript=fido2luks"
+# E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks
+
+update-initramfs -u
+
+
+```
 
 [Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
+

initramfs-tools/fido2luks.conf

@@ -1,3 +1,3 @@
 FIDO2LUKS_SALT=Ask
-#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
+#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
 FIDO2LUKS_CREDENTIAL_ID=

initramfs-tools/keyscript.sh

@@ -4,8 +4,7 @@ set -a
 
 if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
 	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
-	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt '$MSG'"
-	plymouth message --text "$MSG"
+	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
 fi
 
 fido2luks print-secret --bin

src/config.rs

@@ -135,10 +135,9 @@ impl PasswordHelper {
             Systemd => unimplemented!(),
             Stdin => Ok(util::read_password("Password", true)?),
             Script(password_helper) => {
-                let mut helper_parts = password_helper.split(' ');
-
-                let password = Command::new((&mut helper_parts).next().unwrap())
-                    .args(helper_parts)
+                let password = Command::new("sh")
+                    .arg("-c")
+                    .arg(&password_helper)
                     .output()
                     .map_err(|e| Fido2LuksError::AskPassError {
                         cause: error::AskPassError::IO(e),