add nix flake

Obvious password promt (#29 )
* obvious password promt * prompt interaction with FIDO device
2021-02-08 16:06:56 +01:00 · 2021-02-08 15:58:41 +01:00 · 2020-11-17 13:05:45 +01:00 · 2020-11-01 21:18:13 +01:00 · 2020-11-01 18:21:04 +01:00 · 2020-10-13 14:17:22 +02:00
23 changed files with 2285 additions and 1381 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -3,32 +3,27 @@ name: default
 steps:
 - name: fmt
-   image: rust:1.37.0
+   image: rust:1.43.0
   commands:
-     -  rustup component add rustfmt
+     - rustup component add rustfmt
-     -  cargo fmt --all -- --check
+     - cargo fmt --all -- --check
 - name: test
-   image: rust:1.37.0
+   image: ubuntu:focal
   environment:
    DEBIAN_FRONTEND: noninteractive
   commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev 
-    - cargo test
+    - cargo test --locked
-
+ - name: publish
- - name: build
+   image: ubuntu:focal
-   image: rust:1.37.0
+   environment:
    DEBIAN_FRONTEND: noninteractive
    CARGO_REGISTRY_TOKEN:
     from_secret: cargo_tkn
   commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-    - cargo install -f --path . --root .
+    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev 
    - cargo package --all-features
    - cargo publish --all-features
   when:
    event: tag
 - name: publish
   image: plugins/github-release
   settings:
     api_key:
      from_secret: github_release
     files:
      - bin/fido2luks
     checksum:
      - md5
      - sha256
   when:
    event: tag    
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,9 @@
 **/*.rs.bk
 .idea/
 *.iml
 fido2luks.bash
 fido2luks.elv
 fido2luks.fish
 fido2luks.zsh
 result
 result-*
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1,10 +1,25 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
 [[package]]
-name = "aho-corasick"
+name = "addr2line"
-version = "0.7.10"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8716408b8bc624ed7f65d223ddb9ac2d044c0547b6fa4b0d554f3a9540496ada"
+checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
 dependencies = [
 "gimli",
 ]
 [[package]]
 name = "adler"
 version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
 [[package]]
 name = "aho-corasick"
 version = "0.7.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
 dependencies = [
 "memchr",
 ]
@@ -37,37 +52,29 @@ checksum = "1d49d90015b3c36167a20fe2810c5cd875ad504b39cff3d4eae7977e6b7c1cb2"
 [[package]]
 name = "autocfg"
-version = "1.0.0"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
+checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 [[package]]
 name = "backtrace"
-version = "0.3.46"
+version = "0.3.50"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1e692897359247cc6bb902933361652380af0f1b7651ae5c5013407f30e109e"
+checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
 dependencies = [
- "backtrace-sys",
+ "addr2line",
 "cfg-if",
 "libc",
 "miniz_oxide",
 "object",
 "rustc-demangle",
 ]
 [[package]]
 name = "backtrace-sys"
 version = "0.1.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "78848718ee1255a2485d1309ad9cdecfc2e7d0362dd11c6829364c6b35ae1bc7"
 dependencies = [
 "cc",
 "libc",
 ]
 [[package]]
 name = "bindgen"
-version = "0.53.2"
+version = "0.54.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6bb26d6a69a335b8cb0e7c7e9775cd5666611dc50a37177c3f2cedcfc040e8c8"
+checksum = "66c0bb6167449588ff70803f4127f0684f9063097eca5016f37eb52b92c2cf36"
 dependencies = [
 "bitflags",
 "cexpr",
@@ -79,8 +86,8 @@ dependencies = [
 "lazycell",
 "log",
 "peeking_take_while",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
 "regex",
 "rustc-hash",
 "shlex",
@@ -111,9 +118,9 @@ dependencies = [
 [[package]]
 name = "cc"
-version = "1.0.52"
+version = "1.0.59"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d"
+checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381"
 [[package]]
 name = "cexpr"
@@ -143,9 +150,9 @@ dependencies = [
 [[package]]
 name = "clap"
-version = "2.33.0"
+version = "2.33.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
+checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
 dependencies = [
 "ansi_term",
 "atty",
@@ -181,9 +188,9 @@ dependencies = [
 [[package]]
 name = "crossbeam-channel"
-version = "0.4.2"
+version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cced8691919c02aac3cb0a1bc2e9b73d89e832bf9a06fc579d4e71b68a2da061"
+checksum = "b153fe7cbef478c567df0f972e02e6d736db11affe43dfc9c56a9374d1adfb87"
 dependencies = [
 "crossbeam-utils",
 "maybe-uninit",
@@ -206,7 +213,7 @@ version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
 "cfg-if",
 "crossbeam-utils",
 "lazy_static",
@@ -217,12 +224,13 @@ dependencies = [
 [[package]]
 name = "crossbeam-queue"
-version = "0.2.1"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c695eeca1e7173472a32221542ae469b3e9aac3a4fc81f7696bcad82029493db"
+checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
 dependencies = [
 "cfg-if",
 "crossbeam-utils",
 "maybe-uninit",
 ]
 [[package]]
@@ -231,7 +239,7 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
 "cfg-if",
 "lazy_static",
 ]
@@ -284,10 +292,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
 dependencies = [
 "fnv",
 "ident_case",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
 "strsim 0.9.3",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 [[package]]
@@ -297,8 +305,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
 "darling_core",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 [[package]]
@@ -309,9 +317,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
 dependencies = [
 "darling",
 "derive_builder_core",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 [[package]]
@@ -321,16 +329,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
 dependencies = [
 "darling",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 [[package]]
 name = "either"
-version = "1.5.3"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb1f6b1ce1c140482ea30ddd3335fc0024ac7ee112895426e0a629a6c20adfe3"
+checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
 [[package]]
 name = "env_logger"
@@ -347,9 +355,9 @@ dependencies = [
 [[package]]
 name = "failure"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8529c2421efa3066a5cbd8063d2244603824daccb6936b079010bb2aa89464b"
+checksum = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86"
 dependencies = [
 "backtrace",
 "failure_derive",
@@ -357,19 +365,19 @@ dependencies = [
 [[package]]
 name = "failure_derive"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231"
+checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 "synstructure",
 ]
 [[package]]
 name = "fido2luks"
-version = "0.2.8"
+version = "0.2.16"
 dependencies = [
 "ctap_hmac",
 "failure",
@@ -385,9 +393,9 @@ dependencies = [
 [[package]]
 name = "fnv"
-version = "1.0.6"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2fad85553e09a6f881f739c29f0b00b0f01357c743266d478b68951ce23285f3"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 [[package]]
 name = "fuchsia-cprng"
@@ -401,6 +409,12 @@ version = "0.3.55"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
 [[package]]
 name = "gimli"
 version = "0.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
 [[package]]
 name = "glob"
 version = "0.3.0"
@@ -418,9 +432,9 @@ dependencies = [
 [[package]]
 name = "hermit-abi"
-version = "0.1.12"
+version = "0.1.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61565ff7aaace3525556587bd2dc31d4a07071957be715e63ce7b1eccf51a8f4"
+checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
 dependencies = [
 "libc",
 ]
@@ -448,9 +462,9 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
 [[package]]
 name = "itoa"
-version = "0.4.5"
+version = "0.4.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8b7a7c0c47db5545ed3fef7468ee7bb5b74691498139e4b3f6a20685dc6dd8e"
+checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
 [[package]]
 name = "lazy_static"
@@ -460,21 +474,21 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 [[package]]
 name = "lazycell"
-version = "1.2.1"
+version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
+checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
 [[package]]
 name = "libc"
-version = "0.2.69"
+version = "0.2.76"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005"
+checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3"
 [[package]]
 name = "libcryptsetup-rs"
-version = "0.4.1"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38cd24132ee0239515bc895782f65ab3e382a0f78e7cee30417159e5c6f81b6b"
+checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
 dependencies = [
 "either",
 "libc",
@@ -487,9 +501,9 @@ dependencies = [
 [[package]]
 name = "libcryptsetup-rs-sys"
-version = "0.1.2"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c605998e81e2a99c1f4c5d0be45ea1df6f1dc45dc64f5ca2847b0dbebf49ae7"
+checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
 dependencies = [
 "bindgen",
 "cc",
@@ -509,9 +523,9 @@ dependencies = [
 [[package]]
 name = "log"
-version = "0.4.8"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
+checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
 dependencies = [
 "cfg-if",
 ]
@@ -530,18 +544,27 @@ checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
 [[package]]
 name = "memoffset"
-version = "0.5.4"
+version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b4fc2c02a7e374099d4ee95a193111f72d2110197fe200272371758f6c3643d8"
+checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
 ]
 [[package]]
 name = "miniz_oxide"
 version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722"
 dependencies = [
 "adler",
 ]
 [[package]]
 name = "nom"
-version = "5.1.1"
+version = "5.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b471253da97532da4b61552249c521e01e736071f71c1a4f7ebbfbf0a06aad6"
+checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
 dependencies = [
 "memchr",
 "version_check",
@@ -560,13 +583,19 @@ dependencies = [
 [[package]]
 name = "num-traits"
-version = "0.2.11"
+version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c62be47e61d1842b9170f0fdeec8eba98e60e90e5446449a0545e5152acd7096"
+checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
 ]
 [[package]]
 name = "object"
 version = "0.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
 [[package]]
 name = "peeking_take_while"
 version = "0.1.2"
@@ -575,33 +604,31 @@ checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
 [[package]]
 name = "pkg-config"
-version = "0.3.17"
+version = "0.3.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
+checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
 [[package]]
 name = "proc-macro-error"
-version = "1.0.2"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "98e9e4b82e0ef281812565ea4751049f1bdcdfccda7d3f459f2e138a40c08678"
+checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
 dependencies = [
 "proc-macro-error-attr",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 "version_check",
 ]
 [[package]]
 name = "proc-macro-error-attr"
-version = "1.0.2"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f5444ead4e9935abd7f27dc51f7e852a0569ac888096d5ec2499470794e2e53"
+checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
 "syn 1.0.18",
 "syn-mid",
 "version_check",
 ]
@@ -616,11 +643,11 @@ dependencies = [
 [[package]]
 name = "proc-macro2"
-version = "1.0.10"
+version = "1.0.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df246d292ff63439fea9bc8c0a270bed0e390d5ebd4db4ba15aba81111b5abe3"
+checksum = "175c513d55719db99da20232b06cda8bab6b83ec2d04e3283edf0213c37c1a29"
 dependencies = [
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 [[package]]
@@ -640,11 +667,11 @@ dependencies = [
 [[package]]
 name = "quote"
-version = "1.0.3"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2bdc6c187c65bca4260c9011c9e3132efe4909da44726bad24cf7572ae338d7f"
+checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
 ]
 [[package]]
@@ -787,9 +814,9 @@ dependencies = [
 [[package]]
 name = "regex"
-version = "1.3.7"
+version = "1.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6020f034922e3194c711b82a627453881bc4682166cabb07134a10c26ba7692"
+checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -799,9 +826,9 @@ dependencies = [
 [[package]]
 name = "regex-syntax"
-version = "0.6.17"
+version = "0.6.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fe5bd57d1d7414c6b5ed48563a2c855d995ff777729dcd91c369ec7fea395ae"
+checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
 [[package]]
 name = "ring"
@@ -858,9 +885,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
 [[package]]
 name = "ryu"
-version = "1.0.4"
+version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed3d612bc64430efeb3f7ee6ef26d590dce0c43249217bddc62112540c7941e1"
+checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
 [[package]]
 name = "scopeguard"
@@ -885,26 +912,26 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
 [[package]]
 name = "serde"
-version = "1.0.106"
+version = "1.0.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399"
+checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
 [[package]]
 name = "serde_derive"
-version = "1.0.106"
+version = "1.0.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e549e3abf4fb8621bd1609f11dfc9f5e50320802273b12f3811a67e6716ea6c"
+checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 [[package]]
 name = "serde_json"
-version = "1.0.51"
+version = "1.0.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da07b57ee2623368351e9a0488bb0b261322a15a6e0ae53e243cbdc0f4208da9"
+checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
 dependencies = [
 "itoa",
 "ryu",
@@ -931,9 +958,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
 [[package]]
 name = "structopt"
-version = "0.3.14"
+version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "863246aaf5ddd0d6928dfeb1a9ca65f505599e4e1b399935ef7e75107516b4ef"
+checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5"
 dependencies = [
 "clap",
 "lazy_static",
@@ -942,15 +969,15 @@ dependencies = [
 [[package]]
 name = "structopt-derive"
-version = "0.4.7"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d239ca4b13aee7a2142e6795cbd69e457665ff8037aed33b3effdc430d2f927a"
+checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f"
 dependencies = [
 "heck",
 "proc-macro-error",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 [[package]]
@@ -966,36 +993,25 @@ dependencies = [
 [[package]]
 name = "syn"
-version = "1.0.18"
+version = "1.0.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213"
+checksum = "963f7d3cc59b59b9325165add223142bbf1df27655d07789f109896d353d8350"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 [[package]]
 name = "syn-mid"
 version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a"
 dependencies = [
 "proc-macro2 1.0.10",
 "quote 1.0.3",
 "syn 1.0.18",
 ]
 [[package]]
 name = "synstructure"
-version = "0.12.3"
+version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545"
+checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 [[package]]
@@ -1027,11 +1043,12 @@ dependencies = [
 [[package]]
 name = "time"
-version = "0.1.43"
+version = "0.1.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
+checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
 dependencies = [
 "libc",
 "wasi",
 "winapi",
 ]
@@ -1043,9 +1060,9 @@ checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
 [[package]]
 name = "unicode-width"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "caaa9d531767d1ff2150b9332433f32a24622147e5ebb1f26409d5da67afd479"
+checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
 [[package]]
 name = "unicode-xid"
@@ -1055,9 +1072,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
 [[package]]
 name = "unicode-xid"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c"
+checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
 [[package]]
 name = "untrusted"
@@ -1076,15 +1093,21 @@ dependencies = [
 [[package]]
 name = "vec_map"
-version = "0.8.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
+checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
 [[package]]
 name = "version_check"
-version = "0.9.1"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "078775d0255232fb988e6fccf26ddc9d1ac274299aaedcedce21c6f72cc533ce"
+checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
 [[package]]
 name = "wasi"
 version = "0.10.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
 [[package]]
 name = "which"
@@ -1097,9 +1120,9 @@ dependencies = [
 [[package]]
 name = "winapi"
-version = "0.3.8"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
 dependencies = [
 "winapi-i686-pc-windows-gnu",
 "winapi-x86_64-pc-windows-gnu",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.8"
+version = "0.2.16"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
@@ -11,7 +11,7 @@ repository = "https://github.com/shimunn/fido2luks"
 readme = "README.md"
 keywords = ["luks", "fido2", "u2f"]
 categories = ["command-line-utilities"]
-license-file = "LICENSE"
+license = "MPL-2.0"
 [dependencies]
 ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
@@ -25,9 +25,32 @@ serde_json = "1.0.51"
 serde_derive = "1.0.106"
 serde = "1.0.106"
 [build-dependencies]
 ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
 hex = "0.3.2"
 ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 libcryptsetup-rs = "0.4.1"
 structopt = "0.3.2"
 [profile.release]
 lto = true
 opt-level = 'z'
 panic = 'abort'
 incremental = false
 overflow-checks = false
 [package.metadata.deb]
 depends = "$auto, cryptsetup"
 build-depends = "libclang-dev, libcryptsetup-dev"
 extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 assets = [
    ["target/release/fido2luks", "usr/bin/", "755"],
    ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
    ["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
 ]
 conf-files = ["/etc/fido2luks.conf"]
--- a/1047
+++ b/1047
--- a/26
+++ b/26
@@ -0,0 +1,26 @@
 # Maintainer: shimunn <shimun@shimun.net>
 pkgname=fido2luks
 pkgver=0.2.12
 pkgrel=1
 makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
 depends=('cryptsetup')
 arch=('i686' 'x86_64' 'armv6h' 'armv7h')
 pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 url="https://github.com/shimunn/fido2luks"
 license=('MPL-2.0')
 pkgver() {
 	# Use tag version if possible otherwise concat project version and git ref
 	git describe --exact-match --tags HEAD 2> /dev/null || \
 		echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
 }
 build() {
    cargo build --release --locked --all-features --target-dir=target
 }
 package() {
    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
    install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
 }
--- a/README.md
+++ b/README.md
@@ -1,8 +1,8 @@
 # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
-This will allow you to unlock your luks encrypted disk with an fido2 compatible key
+This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
-Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
 ## Setup
@@ -30,6 +30,8 @@ set -a
 . /etc/fido2luks.conf
 # Repeat for each luks volume
 # You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
 # enabling you to use `fido2luks open-token` without passing a credential as parameter
 sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 # Test(only works if the luks container isn't active)
@@ -63,7 +65,7 @@ cp /usr/bin/fido2luks /boot/fido2luks/
 cp /etc/fido2luks.conf /boot/fido2luks/
 ```
-## Test
+## Testing
 Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
@@ -71,6 +73,8 @@ Just reboot and see if it works, if that's the case you should remove your old l
 # Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
 # There is no turning back if you mess this up, make sure you made a backup
 # You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
 # which will enable you to use `fido2luks open-token` without passing a credential as parameter
 fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 ```
@@ -92,6 +96,13 @@ set -a
 Then add the new secret to each device and update dracut afterwards `dracut -f`
 ### Multiple keys
 Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
 ```
 FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
 ```
 ## Removal
 Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
@@ -103,3 +114,17 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
 ## License
 Licensed under
 * Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
 ### Contribution
 Unless you explicitly state otherwise, any contribution intentionally
 submitted for inclusion in the work by you, as defined in the MPL 2.0
 license, shall be licensed as above, without any additional terms or
 conditions.
--- a/build.rs
+++ b/build.rs
@@ -0,0 +1,24 @@
 #![allow(warnings)]
 #[macro_use]
 extern crate failure;
 extern crate ctap_hmac as ctap;
 #[path = "src/cli_args/mod.rs"]
 mod cli_args;
 #[path = "src/error.rs"]
 mod error;
 #[path = "src/util.rs"]
 mod util;
 use cli_args::Args;
 use std::env;
 use std::str::FromStr;
 use structopt::clap::Shell;
 use structopt::StructOpt;
 fn main() {
    // generate completion scripts, zsh does panic for some reason
    for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
        Args::clap().gen_completions(env!("CARGO_PKG_NAME"), Shell::from_str(shell).unwrap(), ".");
    }
 }
--- a/flake.lock
+++ b/flake.lock
@@ -0,0 +1,61 @@
 {
  "nodes": {
    "naersk": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1612192764,
        "narHash": "sha256-7EnLtZQWP6511G1ZPA7FmJlqAr3hWsAYb24tvTvJ/ec=",
        "owner": "nmattia",
        "repo": "naersk",
        "rev": "6e149bfd726a8ebefa415f2d713ba6d942435abd",
        "type": "github"
      },
      "original": {
        "owner": "nmattia",
        "repo": "naersk",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1611910458,
        "narHash": "sha256-//j54S14v9lp3YKizS1WZW3WKwLjGTzvwhHfUAaRBPQ=",
        "path": "/nix/store/z5g10k571cc5q9yvr0bafzswp0ggawjw-source",
        "rev": "6e7f25001fe6874f7ae271891f709bbf50a22c45",
        "type": "path"
      },
      "original": {
        "id": "nixpkgs",
        "type": "indirect"
      }
    },
    "root": {
      "inputs": {
        "naersk": "naersk",
        "nixpkgs": "nixpkgs",
        "utils": "utils"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1610051610,
        "narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@@ -0,0 +1,61 @@
 {
  description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
  inputs = {
    utils.url = "github:numtide/flake-utils";
    naersk = {
      url = "github:nmattia/naersk";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, utils, naersk }:
    let
      root = ./.;
      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
      forPkgs = pkgs:
        let
          naersk-lib = naersk.lib."${pkgs.system}";
          buildInputs = with pkgs; [ cryptsetup ];
          LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
          nativeBuildInputs = with pkgs; [
            pkgconfig
            clang
          ];
        in
        rec {
          # `nix build`
          packages.${pname} = naersk-lib.buildPackage {
            inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
          };
          defaultPackage = packages.${pname};
          # `nix run`
          apps.${pname} = utils.lib.mkApp {
            drv = packages.${pname};
          };
          defaultApp = apps.${pname};
          # `nix flake check`
          checks = {
            fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
              cd ${root}
              cargo fmt -- --check
              nixpkgs-fmt --check *.nix
              touch $out
            '';
          };
          # `nix develop`
          devShell = pkgs.mkShell {
            nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
            inherit buildInputs LIBCLANG_PATH;
          };
        };
      forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
    in
    (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
      overlay = final: prev: (forPkgs final).packages;
    };
 }
--- a/initramfs-tools/Makefile
+++ b/initramfs-tools/Makefile
@@ -0,0 +1,11 @@
 .PHONY: install
 install:
 	chmod +x hook/fido2luks.sh keyscript.sh
 	cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
 	mkdir -p /usr/share/fido2luks
 	cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
 	update-initramfs -u
 remove:
 	sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
 	rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
 	update-initramfs -u
--- a/initramfs-tools/README.md
+++ b/initramfs-tools/README.md
@@ -0,0 +1,34 @@
 ## Initramfs-tools based systems(Ubuntu and derivatives)
 For easiest installation [download and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases). However it is possible to build from source via the instructions on the main readme.
 ```
 sudo -s
 # Insert FIDO key.
 fido2luks credential
 # Tap FIDO key
 # Copy returned string <CREDENTIAL>
 nano /etc/fido2luks.conf
 # Insert <CREDENTIAL> 
 # FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL> 
 set -a
 . /etc/fido2luks.conf
 fido2luks -i add-key /dev/<LUKS PARTITION>
 # Current password: <Any current LUKS password>
 # Password: <Password used as FIDO challange>
 # Tap FIDO key
 nano /etc/crypttab
 # Append to end ",discard,initramfs,keyscript=fido2luks"
 # E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks
 update-initramfs -u
 ```
 [Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
--- a/initramfs-tools/fido2luks.conf
+++ b/initramfs-tools/fido2luks.conf
@@ -0,0 +1,3 @@
 FIDO2LUKS_SALT=Ask
 #FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
 FIDO2LUKS_CREDENTIAL_ID=
--- a/initramfs-tools/hook/fido2luks.sh
+++ b/initramfs-tools/hook/fido2luks.sh
@@ -0,0 +1,14 @@
 #!/bin/sh
 case "$1" in
 prereqs)
 	echo ""
 	exit 0
 	;;
 esac
 . /usr/share/initramfs-tools/hook-functions
 copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
 copy_exec /usr/bin/fido2luks
 exit 0
--- a/initramfs-tools/keyscript.sh
+++ b/initramfs-tools/keyscript.sh
@@ -0,0 +1,14 @@
 #!/bin/sh
 set -a
 . /etc/fido2luks.conf
 if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
 	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
 	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
 fi
 if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
 	export FIDO2LUKS_CREDENTIAL_ID="$FIDO2LUKS_CREDENTIAL_ID,$(fido2luks token list --csv $CRYPTTAB_SOURCE)"
 fi
 fido2luks print-secret --bin
--- a/initramfs-tools/setup.svg
+++ b/initramfs-tools/setup.svg
--- a/pam_mount/fido2luksmounthelper.sh
+++ b/pam_mount/fido2luksmounthelper.sh
@@ -0,0 +1,220 @@
 #!/bin/bash
 #
 # This is a rather minimal example Argbash potential
 # Example taken from http://argbash.readthedocs.io/en/stable/example.html
 #
 # ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
 # ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
 # ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
 # ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
 # ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
 # ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
 # ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
 # ARGBASH_GO()
 # needed because of Argbash --> m4_ignore([
 ### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
 # Argbash is a bash code generator used to get arguments parsing right.
 # Argbash is FREE SOFTWARE, see https://argbash.io for more info
 # Generated online by https://argbash.io/generate
 die()
 {
 	local _ret="${2:-1}"
 	test "${_PRINT_HELP:-no}" = yes && print_help >&2
 	echo "$1" >&2
 	exit "${_ret}"
 }
 begins_with_short_option()
 {
 	local first_option all_short_options='cdmash'
 	first_option="${1:0:1}"
 	test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
 }
 # THE DEFAULTS INITIALIZATION - POSITIONALS
 _positionals=()
 # THE DEFAULTS INITIALIZATION - OPTIONALS
 _arg_credentials_type=
 _arg_device=
 _arg_mount_point=
 _arg_ask_pin="off"
 _arg_salt=""
 print_help()
 {
 	printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
 	printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
 	printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
 	printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
 	printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
 	printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
 	printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
 	printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
 	printf '\t%s\n' "-h, --help: Prints help"
 }
 parse_commandline()
 {
 	_positionals_count=0
 	while test $# -gt 0
 	do
 		_key="$1"
 		case "$_key" in
 			-c|--credentials-type)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_credentials_type="$2"
 				shift
 				;;
 			--credentials-type=*)
 				_arg_credentials_type="${_key##--credentials-type=}"
 				;;
 			-c*)
 				_arg_credentials_type="${_key##-c}"
 				;;
 			-d|--device)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_device="$2"
 				shift
 				;;
 			--device=*)
 				_arg_device="${_key##--device=}"
 				;;
 			-d*)
 				_arg_device="${_key##-d}"
 				;;
 			-m|--mount-point)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_mount_point="$2"
 				shift
 				;;
 			--mount-point=*)
 				_arg_mount_point="${_key##--mount-point=}"
 				;;
 			-m*)
 				_arg_mount_point="${_key##-m}"
 				;;
 			-a|--no-ask-pin|--ask-pin)
 				_arg_ask_pin="on"
 				test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
 				;;
 			-a*)
 				_arg_ask_pin="on"
 				_next="${_key##-a}"
 				if test -n "$_next" -a "$_next" != "$_key"
 				then
 					{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
 				fi
 				;;
 			-s|--salt)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_salt="$2"
 				shift
 				;;
 			--salt=*)
 				_arg_salt="${_key##--salt=}"
 				;;
 			-s*)
 				_arg_salt="${_key##-s}"
 				;;
 			-h|--help)
 				print_help
 				exit 0
 				;;
 			-h*)
 				print_help
 				exit 0
 				;;
 			*)
 				_last_positional="$1"
 				_positionals+=("$_last_positional")
 				_positionals_count=$((_positionals_count + 1))
 				;;
 		esac
 		shift
 	done
 }
 handle_passed_args_count()
 {
 	local _required_args_string="'operation'"
 	test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
 	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
 }
 assign_positional_args()
 {
 	local _positional_name _shift_for=$1
 	_positional_names="_arg_operation "
 	shift "$_shift_for"
 	for _positional_name in ${_positional_names}
 	do
 		test $# -gt 0 || break
 		eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
 		shift
 	done
 }
 parse_commandline "$@"
 handle_passed_args_count
 assign_positional_args 1 "${_positionals[@]}"
 # OTHER STUFF GENERATED BY Argbash
 ### END OF CODE GENERATED BY Argbash (sortof) ### ])
 # [ <-- needed because of Argbash
 if [ -z ${_arg_mount_point} ]; then
  die "Missing '--mount-point' argument"
 fi
 if [ -z ${_arg_device} ]; then
  die "Missing '--device' argument"
 fi
 ASK_PIN=${_arg_ask_pin}
 OPERATION=${_arg_operation}
 DEVICE=${_arg_device}
 DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
 MOUNT_POINT=${_arg_mount_point}
 CREDENTIALS_TYPE=${_arg_credentials_type}
 SALT=${_arg_salt}
 CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
 if [ "${OPERATION}" == "mount" ]; then
 	if [ "${CREDENTIALS_TYPE}" == "external" ]; then
    if  [ -f ${CONF_FILE_PATH} ]; then
 			if [ "${ASK_PIN}" == "on" ]; then
 				read PASSWORD
 			fi
 			CREDENTIALS=$(<${CONF_FILE_PATH})
 		else
 			die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
 		fi
 		printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
 	elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
 		if [ "${ASK_PIN}" == "on" ]; then
 			read PASSWORD
 		fi
 		printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
 	else
 		die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
 	fi 
 	mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
 elif [ "${OPERATION}" == "umount" ]; then
  umount ${MOUNT_POINT}
  cryptsetup luksClose ${DEVICE_NAME}
 else
  die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
 fi
 exit 0
 # ] <-- needed because of Argbash
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -1,127 +1,36 @@
 use crate::error::*;
-use crate::luks;
+use crate::luks::{Fido2LuksToken, LuksDevice};
 use crate::util::sha256;
 use crate::*;
 use cli_args::*;
 use structopt::clap::Shell;
 use structopt::StructOpt;
 use ctap::{FidoCredential, FidoErrorKind};
 use failure::_core::fmt::{Display, Error, Formatter};
 use failure::_core::str::FromStr;
 use failure::_core::time::Duration;
 use std::io::Write;
 use std::process::exit;
 use std::thread;
-use crate::util::sha256;
+use std::io::{Read, Write};
 use std::str::FromStr;
 use std::thread;
 use std::time::Duration;
 use std::borrow::Cow;
 use std::collections::HashSet;
 use std::fs::File;
 use std::time::SystemTime;
-#[derive(Debug, Eq, PartialEq, Clone)]
+pub use cli_args::Args;
 pub struct HexEncoded(pub Vec<u8>);
-impl Display for HexEncoded {
+fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
-    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+    if let Some(src) = ap.pin_source.as_ref() {
-        f.write_str(&hex::encode(&self.0))
+        let mut pin = String::new();
        File::open(src)?.read_to_string(&mut pin)?;
        Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline
    } else {
        util::read_password("Authenticator PIN", false)
    }
 }
 impl FromStr for HexEncoded {
    type Err = hex::FromHexError;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Ok(HexEncoded(hex::decode(s)?))
    }
 }
 #[derive(Debug, Eq, PartialEq, Clone)]
 pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
 impl<T: Display + FromStr> Display for CommaSeparated<T> {
    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
        for i in &self.0 {
            f.write_str(&i.to_string())?;
            f.write_str(",")?;
        }
        Ok(())
    }
 }
 impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
    type Err = <T as FromStr>::Err;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Ok(CommaSeparated(
            s.split(',')
                .map(|part| <T as FromStr>::from_str(part))
                .collect::<Result<Vec<_>, _>>()?,
        ))
    }
 }
 #[derive(Debug, StructOpt)]
 pub struct Credentials {
    /// FIDO credential ids, seperated by ',' generate using fido2luks credential
    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
    pub ids: CommaSeparated<HexEncoded>,
 }
 #[derive(Debug, StructOpt)]
 pub struct AuthenticatorParameters {
    /// Request a PIN to unlock the authenticator
    #[structopt(short = "P", long = "pin")]
    pub pin: bool,
    /// Await for an authenticator to be connected, timeout after n seconds
    #[structopt(
        long = "await-dev",
        name = "await-dev",
        env = "FIDO2LUKS_DEVICE_AWAIT",
        default_value = "15"
    )]
    pub await_time: u64,
 }
 #[derive(Debug, StructOpt)]
 pub struct LuksParameters {
    #[structopt(env = "FIDO2LUKS_DEVICE")]
    device: PathBuf,
    /// Try to unlock the device using a specifc keyslot, ignore all other slots
    #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
    slot: Option<u32>,
 }
 #[derive(Debug, StructOpt, Clone)]
 pub struct LuksModParameters {
    /// Number of milliseconds required to derive the volume decryption key
    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
    #[structopt(long = "kdf-time", name = "kdf-time")]
    kdf_time: Option<u64>,
 }
 #[derive(Debug, StructOpt)]
 pub struct SecretParameters {
    /// Salt for secret generation, defaults to 'ask'
    ///
    /// Options:{n}
    ///  - ask              : Prompt user using password helper{n}
    ///  - file:<PATH>      : Will read <FILE>{n}
    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
    #[structopt(
        name = "salt",
        long = "salt",
        env = "FIDO2LUKS_SALT",
        default_value = "ask"
    )]
    pub salt: InputSalt,
    /// Script used to obtain passwords, overridden by --interactive flag
    #[structopt(
        name = "password-helper",
        env = "FIDO2LUKS_PASSWORD_HELPER",
        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
    )]
    pub password_helper: PasswordHelper,
 }
 fn derive_secret(
    credentials: &[HexEncoded],
    salt: &[u8; 32],
@@ -158,136 +67,16 @@ fn derive_secret(
    Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
 }
 fn read_pin() -> Fido2LuksResult<String> {
    util::read_password("Authenticator PIN", false)
 }
 #[derive(Debug, StructOpt)]
 pub struct Args {
    /// Request passwords via Stdin instead of using the password helper
    #[structopt(short = "i", long = "interactive")]
    pub interactive: bool,
    #[structopt(subcommand)]
    pub command: Command,
 }
 #[derive(Debug, StructOpt, Clone)]
 pub struct OtherSecret {
    /// Use a keyfile instead of a password
    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
    keyfile: Option<PathBuf>,
    /// Use another fido device instead of a password
    /// Note: this requires for the credential fot the other device to be passed as argument as well
    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
    fido_device: bool,
 }
 #[derive(Debug, StructOpt)]
 pub enum Command {
    #[structopt(name = "print-secret")]
    PrintSecret {
        /// Prints the secret as binary instead of hex encoded
        #[structopt(short = "b", long = "bin")]
        binary: bool,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
    },
    /// Adds a generated key to the specified LUKS device
    #[structopt(name = "add-key")]
    AddKey {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        /// Will wipe all other keys
        #[structopt(short = "e", long = "exclusive")]
        exclusive: bool,
        /// Will add an token to your LUKS 2 header, including the credential id
        #[structopt(short = "t", long = "token")]
        token: bool,
        #[structopt(flatten)]
        existing_secret: OtherSecret,
        #[structopt(flatten)]
        luks_mod: LuksModParameters,
    },
    /// Replace a previously added key with a password
    #[structopt(name = "replace-key")]
    ReplaceKey {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        /// Add the password and keep the key
        #[structopt(short = "a", long = "add-password")]
        add_password: bool,
        /// Will add an token to your LUKS 2 header, including the credential id
        #[structopt(short = "t", long = "token")]
        token: bool,
        #[structopt(flatten)]
        replacement: OtherSecret,
        #[structopt(flatten)]
        luks_mod: LuksModParameters,
    },
    /// Open the LUKS device
    #[structopt(name = "open")]
    Open {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
        name: String,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        #[structopt(short = "r", long = "max-retries", default_value = "0")]
        retries: i32,
    },
    /// Open the LUKS device using credentials embedded in the LUKS 2 header
    #[structopt(name = "open-token")]
    OpenToken {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
        name: String,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        #[structopt(short = "r", long = "max-retries", default_value = "0")]
        retries: i32,
    },
    /// Generate a new FIDO credential
    #[structopt(name = "credential")]
    Credential {
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        /// Name to be displayed on the authenticator if it has a display
        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
        name: Option<String>,
    },
    /// Check if an authenticator is connected
    #[structopt(name = "connected")]
    Connected,
 }
 pub fn parse_cmdline() -> Args {
    Args::from_args()
 }
 pub fn prompt_interaction(interactive: bool) {
    if interactive {
        println!("Authorize using your FIDO device");
    }
 }
 pub fn run_cli() -> Fido2LuksResult<()> {
    let mut stdout = io::stdout();
    let args = parse_cmdline();
@@ -299,7 +88,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
        } => {
            let pin_string;
            let pin = if authenticator.pin {
-                pin_string = read_pin()?;
+                pin_string = read_pin(authenticator)?;
                Some(pin_string.as_ref())
            } else {
                None
@@ -316,7 +105,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
        } => {
            let pin_string;
            let pin = if authenticator.pin {
-                pin_string = read_pin()?;
+                pin_string = read_pin(authenticator)?;
                Some(pin_string.as_ref())
            } else {
                None
@@ -324,8 +113,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
                util::read_password_hashed("Password", false)
            } else {
-                secret.salt.obtain(&secret.password_helper)
+                secret.salt.obtain_sha256(&secret.password_helper)
            }?;
            prompt_interaction(interactive);
            let (secret, _cred) = derive_secret(
                credentials.ids.0.as_slice(),
                &salt,
@@ -360,7 +150,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            ..
        } => {
            let pin = if authenticator.pin {
-                Some(read_pin()?)
+                Some(read_pin(authenticator)?)
            } else {
                None
            };
@@ -368,10 +158,12 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                if interactive || secret.password_helper == PasswordHelper::Stdin {
                    util::read_password_hashed(q, verify)
                } else {
-                    secret.salt.obtain(&secret.password_helper)
+                    secret.salt.obtain_sha256(&secret.password_helper)
                }
            };
-            let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
+            let other_secret = |salt_q: &str,
                                verify: bool|
             -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
                match other_secret {
                    OtherSecret {
                        keyfile: Some(file),
@@ -379,40 +171,45 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    } => Ok((util::read_keyfile(file)?, None)),
                    OtherSecret {
                        fido_device: true, ..
-                    } => Ok(derive_secret(
+                    } => {
-                        &credentials.ids.0,
+                        prompt_interaction(interactive);
-                        &salt(salt_q, verify)?,
+                        Ok(derive_secret(
-                        authenticator.await_time,
+                            &credentials.ids.0,
-                        pin.as_deref(),
+                            &salt(salt_q, verify)?,
-                    )
+                            authenticator.await_time,
-                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
+                            pin.as_deref(),
-                    _ => Ok((util::read_password(salt_q, verify)?.as_bytes().to_vec(), None)),
+                        )
                        .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
                    }
                    _ => Ok((
                        util::read_password(salt_q, verify)?.as_bytes().to_vec(),
                        None,
                    )),
                }
            };
-            let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+            let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
                prompt_interaction(interactive);
                derive_secret(
                    &credentials.ids.0,
-                    &salt("Password", verify)?,
+                    &salt(q, verify)?,
                    authenticator.await_time,
                    pin.as_deref(),
                )
            };
            let mut luks_dev = LuksDevice::load(&luks.device)?;
            // Non overlap
            match &args.command {
-                Command::AddKey {
+                Command::AddKey { exclusive, .. } => {
                    exclusive,  ..
                } => {
                    let (existing_secret, _) = other_secret("Current password", false)?;
-                    let (new_secret, cred) = secret(true)?;
+                    let (new_secret, cred) = secret("Password to be added", true)?;
-                    let added_slot = luks::add_key(
+                    let added_slot = luks_dev.add_key(
                        &luks.device,
                        &new_secret,
                        &existing_secret[..],
                        luks_mod.kdf_time.or(Some(10)),
                        Some(&cred.id[..]).filter(|_| *token),
                    )?;
                    if *exclusive {
-                        let destroyed = luks::remove_keyslots(&luks.device, &[added_slot])?;
+                        let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
                        println!(
                            "Added to key to device {}, slot: {}\nRemoved {} old keys",
                            luks.device.display(),
@@ -429,19 +226,17 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    Ok(())
                }
                Command::ReplaceKey { add_password, .. } => {
-                    let (existing_secret, _) = secret(false)?;
+                    let (existing_secret, _) = secret("Current password", false)?;
                    let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                    let slot = if *add_password {
-                        luks::add_key(
+                        luks_dev.add_key(
                            &luks.device,
                            &replacement_secret[..],
                            &existing_secret,
                            luks_mod.kdf_time,
                            cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
                        )
                    } else {
-                        luks::replace_key(
+                        luks_dev.replace_key(
                            &luks.device,
                            &replacement_secret[..],
                            &existing_secret,
                            luks_mod.kdf_time,
@@ -475,7 +270,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
        } => {
            let pin_string;
            let pin = if authenticator.pin {
-                pin_string = read_pin()?;
+                pin_string = read_pin(authenticator)?;
                Some(pin_string.as_ref())
            } else {
                None
@@ -484,12 +279,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                if interactive || secret.password_helper == PasswordHelper::Stdin {
                    util::read_password_hashed(q, verify)
                } else {
-                    secret.salt.obtain(&secret.password_helper)
+                    secret.salt.obtain_sha256(&secret.password_helper)
                }
            };
            // Cow shouldn't be necessary
            let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
                prompt_interaction(interactive);
                derive_secret(
                    credentials.as_ref(),
                    &salt("Password", false)?,
@@ -499,14 +295,12 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            };
            let mut retries = *retries;
            let mut luks_dev = LuksDevice::load(&luks.device)?;
            loop {
                let secret = match &args.command {
                    Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
-                        .and_then(|(secret, _cred)| {
+                        .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
-                            luks::open_container(&luks.device, &name, &secret, luks.slot)
+                    Command::OpenToken { .. } => luks_dev.activate_token(
                        }),
                    Command::OpenToken { .. } => luks::open_container_token(
                        &luks.device,
                        &name,
                        Box::new(|credentials: Vec<String>| {
                            let creds = credentials
@@ -516,6 +310,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                            secret(Cow::Owned(creds))
                                .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
                        }),
                        luks.slot,
                    ),
                    _ => unreachable!(),
                };
@@ -531,7 +326,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                        retries -= 1;
                        eprintln!("{}", e);
                    }
-                    res => break res,
+                    res => break res.map(|_| ()),
                }
            }
        }
@@ -542,5 +337,141 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            }
            _ => exit(1),
        },
        Command::Token(cmd) => match cmd {
            TokenCommand::List {
                device,
                csv: dump_credentials,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut creds = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    for cred in token.credential.iter() {
                        if !creds.contains(cred) {
                            creds.push(cred.clone());
                            if *dump_credentials {
                                print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
                            }
                        }
                    }
                    if *dump_credentials {
                        continue;
                    }
                    println!(
                        "{}:\n\tSlots: {}\n\tCredentials: {}",
                        id,
                        if token.keyslots.is_empty() {
                            "None".into()
                        } else {
                            token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
                        },
                        token
                            .credential
                            .iter()
                            .map(|cred| format!(
                                "{} ({})",
                                cred,
                                creds.iter().position(|c| c == cred).unwrap().to_string()
                            ))
                            .collect::<Vec<_>>()
                            .join(",")
                    );
                }
                if *dump_credentials {
                    println!();
                }
                Ok(())
            }
            TokenCommand::Add {
                device,
                credentials,
                slot,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut tokens = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if token.keyslots.contains(&slot.to_string()) {
                        tokens.push((id, token));
                    }
                }
                let count = if tokens.is_empty() {
                    dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
                    1
                } else {
                    tokens.len()
                };
                for (id, mut token) in tokens {
                    token
                        .credential
                        .extend(credentials.ids.0.iter().map(|h| h.to_string()));
                    dev.update_token(id, &token)?;
                }
                println!("Updated {} tokens", count);
                Ok(())
            }
            TokenCommand::Remove {
                device,
                credentials,
                token_id,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut tokens = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if let Some(token_id) = token_id {
                        if id == *token_id {
                            tokens.push((id, token));
                        }
                    } else {
                        tokens.push((id, token));
                    }
                }
                let count = tokens.len();
                for (id, mut token) in tokens {
                    token.credential = token
                        .credential
                        .into_iter()
                        .filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
                        .collect();
                    dev.update_token(id, &token)?;
                }
                println!("Updated {} tokens", count);
                Ok(())
            }
            TokenCommand::GC { device } => {
                let mut dev = LuksDevice::load(device)?;
                let mut creds: HashSet<String> = HashSet::new();
                let mut remove = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if token.keyslots.is_empty() || token.credential.is_empty() {
                        creds.extend(token.credential);
                        remove.push(id);
                    }
                }
                for id in remove.iter().rev() {
                    dev.remove_token(*id)?;
                }
                println!(
                    "Removed {} tokens, affected credentials: {}",
                    remove.len(),
                    creds.into_iter().collect::<Vec<_>>().join(",")
                );
                Ok(())
            }
        },
        Command::GenerateCompletions { shell, out_dir } => {
            Args::clap().gen_completions(
                env!("CARGO_PKG_NAME"),
                match shell.as_ref() {
                    "bash" => Shell::Bash,
                    "fish" => Shell::Fish,
                    _ => unreachable!("structopt shouldn't allow us to reach this point"),
                },
                &out_dir,
            );
            Ok(())
        }
    }
 }
--- a/src/cli_args/config.rs
+++ b/src/cli_args/config.rs
@@ -10,33 +10,33 @@ use std::process::Command;
 use std::str::FromStr;
 #[derive(Debug, Clone, PartialEq)]
-pub enum InputSalt {
+pub enum SecretInput {
    AskPassword,
    String(String),
    File { path: PathBuf },
 }
-impl Default for InputSalt {
+impl Default for SecretInput {
    fn default() -> Self {
-        InputSalt::AskPassword
+        SecretInput::AskPassword
    }
 }
-impl From<&str> for InputSalt {
+impl From<&str> for SecretInput {
    fn from(s: &str) -> Self {
        let mut parts = s.split(':');
        match parts.next() {
-            Some("ask") | Some("Ask") => InputSalt::AskPassword,
+            Some("ask") | Some("Ask") => SecretInput::AskPassword,
-            Some("file") => InputSalt::File {
+            Some("file") => SecretInput::File {
                path: parts.collect::<Vec<_>>().join(":").into(),
            },
-            Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")),
+            Some("string") => SecretInput::String(parts.collect::<Vec<_>>().join(":")),
            _ => Self::default(),
        }
    }
 }
-impl FromStr for InputSalt {
+impl FromStr for SecretInput {
    type Err = Fido2LuksError;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
@@ -44,21 +44,42 @@ impl FromStr for InputSalt {
    }
 }
-impl fmt::Display for InputSalt {
+impl fmt::Display for SecretInput {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
        f.write_str(&match self {
-            InputSalt::AskPassword => "ask".to_string(),
+            SecretInput::AskPassword => "ask".to_string(),
-            InputSalt::String(s) => ["string", s].join(":"),
+            SecretInput::String(s) => ["string", s].join(":"),
-            InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"),
+            SecretInput::File { path } => ["file", path.display().to_string().as_str()].join(":"),
        })
    }
 }
-impl InputSalt {
+impl SecretInput {
-    pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
+    pub fn obtain_string(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<String> {
        Ok(String::from_utf8(self.obtain(password_helper)?)?)
    }
    pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<Vec<u8>> {
        let mut secret = Vec::new();
        match self {
            SecretInput::File { path } => {
                //TODO: replace with try_blocks
                let mut do_io = || File::open(path)?.read_to_end(&mut secret);
                do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
            }
            SecretInput::AskPassword => {
                secret.extend_from_slice(password_helper.obtain()?.as_bytes())
            }
            SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
        }
        Ok(secret)
    }
    pub fn obtain_sha256(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
        let mut digest = digest::Context::new(&digest::SHA256);
        match self {
-            InputSalt::File { path } => {
+            SecretInput::File { path } => {
                let mut do_io = || {
                    let mut reader = File::open(path)?;
                    let mut buf = [0u8; 512];
@@ -73,10 +94,7 @@ impl InputSalt {
                };
                do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
            }
-            InputSalt::AskPassword => {
+            _ => digest.update(self.obtain(password_helper)?.as_slice()),
                digest.update(password_helper.obtain()?.as_bytes());
            }
            InputSalt::String(s) => digest.update(s.as_bytes()),
        }
        let mut salt = [0u8; 32];
        salt.as_mut().copy_from_slice(digest.finish().as_ref());
@@ -135,10 +153,9 @@ impl PasswordHelper {
            Systemd => unimplemented!(),
            Stdin => Ok(util::read_password("Password", true)?),
            Script(password_helper) => {
-                let mut helper_parts = password_helper.split(' ');
+                let password = Command::new("sh")
-
+                    .arg("-c")
-                let password = Command::new((&mut helper_parts).next().unwrap())
+                    .arg(&password_helper)
                    .args(helper_parts)
                    .output()
                    .map_err(|e| Fido2LuksError::AskPassError {
                        cause: error::AskPassError::IO(e),
@@ -158,24 +175,30 @@ mod test {
    #[test]
    fn input_salt_from_str() {
        assert_eq!(
-            "file:/tmp/abc".parse::<InputSalt>().unwrap(),
+            "file:/tmp/abc".parse::<SecretInput>().unwrap(),
-            InputSalt::File {
+            SecretInput::File {
                path: "/tmp/abc".into()
            }
        );
        assert_eq!(
-            "string:abc".parse::<InputSalt>().unwrap(),
+            "string:abc".parse::<SecretInput>().unwrap(),
-            InputSalt::String("abc".into())
+            SecretInput::String("abc".into())
        );
        assert_eq!(
            "ask".parse::<SecretInput>().unwrap(),
            SecretInput::AskPassword
        );
        assert_eq!(
            "lol".parse::<SecretInput>().unwrap(),
            SecretInput::default()
        );
        assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
        assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
    }
    #[test]
    fn input_salt_obtain() {
        assert_eq!(
-            InputSalt::String("abc".into())
+            SecretInput::String("abc".into())
-                .obtain(&PasswordHelper::Stdin)
+                .obtain_sha256(&PasswordHelper::Stdin)
                .unwrap(),
            [
                186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,
--- a/src/cli_args/mod.rs
+++ b/src/cli_args/mod.rs
@@ -0,0 +1,293 @@
 use std::fmt::{Display, Error, Formatter};
 use std::path::PathBuf;
 use std::str::FromStr;
 use structopt::clap::AppSettings;
 use structopt::StructOpt;
 mod config;
 pub use config::*;
 #[derive(Debug, Eq, PartialEq, Clone)]
 pub struct HexEncoded(pub Vec<u8>);
 impl Display for HexEncoded {
    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
        f.write_str(&hex::encode(&self.0))
    }
 }
 impl AsRef<[u8]> for HexEncoded {
    fn as_ref(&self) -> &[u8] {
        &self.0[..]
    }
 }
 impl FromStr for HexEncoded {
    type Err = hex::FromHexError;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Ok(HexEncoded(hex::decode(s)?))
    }
 }
 #[derive(Debug, Eq, PartialEq, Clone)]
 pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
 impl<T: Display + FromStr> Display for CommaSeparated<T> {
    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
        for i in &self.0 {
            f.write_str(&i.to_string())?;
            f.write_str(",")?;
        }
        Ok(())
    }
 }
 impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
    type Err = <T as FromStr>::Err;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Ok(CommaSeparated(
            s.split(',')
                .map(|part| <T as FromStr>::from_str(part))
                .collect::<Result<Vec<_>, _>>()?,
        ))
    }
 }
 #[derive(Debug, StructOpt)]
 pub struct Credentials {
    /// FIDO credential ids, separated by ',' generate using fido2luks credential
    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
    pub ids: CommaSeparated<HexEncoded>,
 }
 #[derive(Debug, StructOpt)]
 pub struct AuthenticatorParameters {
    /// Request a PIN to unlock the authenticator
    #[structopt(short = "P", long = "pin")]
    pub pin: bool,
    /// Location to read PIN from
    #[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
    pub pin_source: Option<PathBuf>,
    /// Await for an authenticator to be connected, timeout after n seconds
    #[structopt(
        long = "await-dev",
        name = "await-dev",
        env = "FIDO2LUKS_DEVICE_AWAIT",
        default_value = "15"
    )]
    pub await_time: u64,
 }
 #[derive(Debug, StructOpt)]
 pub struct LuksParameters {
    #[structopt(env = "FIDO2LUKS_DEVICE")]
    pub device: PathBuf,
    /// Try to unlock the device using a specifc keyslot, ignore all other slots
    #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
    pub slot: Option<u32>,
 }
 #[derive(Debug, StructOpt, Clone)]
 pub struct LuksModParameters {
    /// Number of milliseconds required to derive the volume decryption key
    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
    #[structopt(long = "kdf-time", name = "kdf-time")]
    pub kdf_time: Option<u64>,
 }
 #[derive(Debug, StructOpt)]
 pub struct SecretParameters {
    /// Salt for secret generation, defaults to 'ask'
    ///
    /// Options:{n}
    ///  - ask              : Prompt user using password helper{n}
    ///  - file:<PATH>      : Will read <FILE>{n}
    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
    #[structopt(
        name = "salt",
        long = "salt",
        env = "FIDO2LUKS_SALT",
        default_value = "ask"
    )]
    pub salt: SecretInput,
    /// Script used to obtain passwords, overridden by --interactive flag
    #[structopt(
        name = "password-helper",
        env = "FIDO2LUKS_PASSWORD_HELPER",
        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
    )]
    pub password_helper: PasswordHelper,
 }
 #[derive(Debug, StructOpt)]
 pub struct Args {
    /// Request passwords via Stdin instead of using the password helper
    #[structopt(short = "i", long = "interactive")]
    pub interactive: bool,
    #[structopt(subcommand)]
    pub command: Command,
 }
 #[derive(Debug, StructOpt, Clone)]
 pub struct OtherSecret {
    /// Use a keyfile instead of a password
    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
    pub keyfile: Option<PathBuf>,
    /// Use another fido device instead of a password
    /// Note: this requires for the credential fot the other device to be passed as argument as well
    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
    pub fido_device: bool,
 }
 #[derive(Debug, StructOpt)]
 pub enum Command {
    #[structopt(name = "print-secret")]
    PrintSecret {
        /// Prints the secret as binary instead of hex encoded
        #[structopt(short = "b", long = "bin")]
        binary: bool,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
    },
    /// Adds a generated key to the specified LUKS device
    #[structopt(name = "add-key")]
    AddKey {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        /// Will wipe all other keys
        #[structopt(short = "e", long = "exclusive")]
        exclusive: bool,
        /// Will add an token to your LUKS 2 header, including the credential id
        #[structopt(short = "t", long = "token")]
        token: bool,
        #[structopt(flatten)]
        existing_secret: OtherSecret,
        #[structopt(flatten)]
        luks_mod: LuksModParameters,
    },
    /// Replace a previously added key with a password
    #[structopt(name = "replace-key")]
    ReplaceKey {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        /// Add the password and keep the key
        #[structopt(short = "a", long = "add-password")]
        add_password: bool,
        /// Will add an token to your LUKS 2 header, including the credential id
        #[structopt(short = "t", long = "token")]
        token: bool,
        #[structopt(flatten)]
        replacement: OtherSecret,
        #[structopt(flatten)]
        luks_mod: LuksModParameters,
    },
    /// Open the LUKS device
    #[structopt(name = "open")]
    Open {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
        name: String,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        #[structopt(short = "r", long = "max-retries", default_value = "0")]
        retries: i32,
    },
    /// Open the LUKS device using credentials embedded in the LUKS 2 header
    #[structopt(name = "open-token")]
    OpenToken {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
        name: String,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        #[structopt(short = "r", long = "max-retries", default_value = "0")]
        retries: i32,
    },
    /// Generate a new FIDO credential
    #[structopt(name = "credential")]
    Credential {
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        /// Name to be displayed on the authenticator if it has a display
        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
        name: Option<String>,
    },
    /// Check if an authenticator is connected
    #[structopt(name = "connected")]
    Connected,
    Token(TokenCommand),
    /// Generate bash completion scripts
    #[structopt(name = "completions", setting = AppSettings::Hidden)]
    GenerateCompletions {
        /// Shell to generate completions for: bash, fish
        #[structopt(possible_values = &["bash", "fish"])]
        shell: String,
        out_dir: PathBuf,
    },
 }
 ///LUKS2 token related operations
 #[derive(Debug, StructOpt)]
 pub enum TokenCommand {
    /// List all tokens associated with the specified device
    List {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        /// Dump all credentials as CSV
        #[structopt(long = "csv")]
        csv: bool,
    },
    /// Add credential to a keyslot
    Add {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        #[structopt(flatten)]
        credentials: Credentials,
        /// Slot to which the credentials will be added
        #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
        slot: u32,
    },
    /// Remove credentials from token(s)
    Remove {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        #[structopt(flatten)]
        credentials: Credentials,
        /// Token from which the credentials will be removed
        #[structopt(long = "token")]
        token_id: Option<u32>,
    },
    /// Remove all unassigned tokens
    GC {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
    },
 }
--- a/src/error.rs
+++ b/src/error.rs
@@ -1,5 +1,9 @@
 use ctap::FidoError;
 use libcryptsetup_rs::LibcryptErr;
 use std::io;
 use std::io::ErrorKind;
 use std::string::FromUtf8Error;
 use Fido2LuksError::*;
 pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
@@ -75,10 +79,11 @@ impl LuksError {
    }
 }
-use libcryptsetup_rs::LibcryptErr;
+impl From<LuksError> for Fido2LuksError {
-use std::io::ErrorKind;
+    fn from(e: LuksError) -> Self {
-use std::string::FromUtf8Error;
+        Fido2LuksError::LuksError { cause: e }
-use Fido2LuksError::*;
+    }
 }
 impl From<FidoError> for Fido2LuksError {
    fn from(e: FidoError) -> Self {
--- a/src/luks.rs
+++ b/src/luks.rs
@@ -7,235 +7,321 @@ use libcryptsetup_rs::{
 use std::collections::{HashMap, HashSet};
 use std::path::Path;
-fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
+pub struct LuksDevice {
-    let mut device = CryptInit::init(path.as_ref())?;
+    device: CryptDevice,
-    device.context_handle().load::<()>(None, None)?;
+    luks2: Option<bool>,
    Ok(device)
 }
-fn check_luks2(device: &mut CryptDevice) -> Fido2LuksResult<()> {
+impl LuksDevice {
-    match device.format_handle().get_type()? {
+    pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
-        EncryptionFormat::Luks2 => Ok(()),
+        let mut device = CryptInit::init(path.as_ref())?;
-        _ => Err(Fido2LuksError::LuksError {
+        device.context_handle().load::<()>(None, None)?;
-            cause: LuksError::Luks2Required,
+        Ok(Self {
-        }),
+            device,
            luks2: None,
        })
    }
    pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
        if let Some(luks2) = self.luks2 {
            Ok(luks2)
        } else {
            self.luks2 = Some(match self.device.format_handle().get_type()? {
                EncryptionFormat::Luks2 => true,
                _ => false,
            });
            self.is_luks2()
        }
    }
    fn require_luks2(&mut self) -> Fido2LuksResult<()> {
        if !self.is_luks2()? {
            return Err(LuksError::Luks2Required.into());
        }
        Ok(())
    }
    pub fn tokens<'a>(
        &'a mut self,
    ) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
    {
        self.require_luks2()?;
        Ok(Box::new(
            (0..32)
                .map(move |i| {
                    let status = match self.device.token_handle().status(i) {
                        Ok(status) => status,
                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
                    };
                    match status {
                        CryptTokenInfo::Inactive => return None,
                        CryptTokenInfo::Internal(s)
                        | CryptTokenInfo::InternalUnknown(s)
                        | CryptTokenInfo::ExternalUnknown(s)
                        | CryptTokenInfo::External(s)
                            if &s != Fido2LuksToken::default_type() =>
                        {
                            return None
                        }
                        _ => (),
                    };
                    let json = match self.device.token_handle().json_get(i) {
                        Ok(json) => json,
                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
                    };
                    let info: Fido2LuksToken =
                        match serde_json::from_value(json.clone()).map_err(|_| {
                            Fido2LuksError::LuksError {
                                cause: LuksError::InvalidToken(json.to_string()),
                            }
                        }) {
                            Ok(info) => info,
                            Err(err) => return Some(Err(Fido2LuksError::from(err))),
                        };
                    Some(Ok((i, info)))
                })
                .filter_map(|o| o),
        ))
    }
    pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
        let slot_str = slot.to_string();
        for token in self.tokens()? {
            let (id, token) = token?;
            if token.keyslots.contains(&slot_str) {
                return Ok(Some((id, token)));
            }
        }
        Ok(None)
    }
    pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
        Ok(())
    }
    pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::RemoveToken(token))?;
        Ok(())
    }
    pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::ReplaceToken(
                token,
                &serde_json::to_value(&data).unwrap(),
            ))?;
        Ok(())
    }
    pub fn add_key(
        &mut self,
        secret: &[u8],
        old_secret: &[u8],
        iteration_time: Option<u64>,
        credential_id: Option<&[u8]>,
    ) -> Fido2LuksResult<u32> {
        if let Some(millis) = iteration_time {
            self.device.settings_handle().set_iteration_time(millis)
        }
        let slot = self
            .device
            .keyslot_handle()
            .add_by_passphrase(None, old_secret, secret)?;
        if let Some(id) = credential_id {
            self.device.token_handle().json_set(TokenInput::AddToken(
                &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
            ))?;
        }
        Ok(slot)
    }
    pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
        let mut destroyed = 0;
        let mut tokens = Vec::new();
        for slot in 0..256 {
            match self.device.keyslot_handle().status(slot)? {
                KeyslotInfo::Inactive => continue,
                KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
                    if self.is_luks2()? {
                        if let Some((id, _token)) = self.find_token(slot)? {
                            tokens.push(id);
                        }
                    }
                    self.device.keyslot_handle().destroy(slot)?;
                    destroyed += 1;
                }
                KeyslotInfo::ActiveLast => break,
                _ => (),
            }
            if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
                break;
            }
        }
        // Ensure indices stay valid
        tokens.sort();
        for token in tokens.iter().rev() {
            self.remove_token(*token)?;
        }
        Ok(destroyed)
    }
    pub fn replace_key(
        &mut self,
        secret: &[u8],
        old_secret: &[u8],
        iteration_time: Option<u64>,
        credential_id: Option<&[u8]>,
    ) -> Fido2LuksResult<u32> {
        if let Some(millis) = iteration_time {
            self.device.settings_handle().set_iteration_time(millis)
        }
        // Use activate dry-run to locate keyslot
        let slot = self.device.activate_handle().activate_by_passphrase(
            None,
            None,
            old_secret,
            CryptActivateFlags::empty(),
        )?;
        self.device.keyslot_handle().change_by_passphrase(
            Some(slot),
            Some(slot),
            old_secret,
            secret,
        )? as u32;
        if let Some(id) = credential_id {
            if self.is_luks2()? {
                let token = self.find_token(slot)?.map(|(t, _)| t);
                let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
                if let Some(token) = token {
                    self.device
                        .token_handle()
                        .json_set(TokenInput::ReplaceToken(token, &json))?;
                } else {
                    self.device
                        .token_handle()
                        .json_set(TokenInput::AddToken(&json))?;
                }
            }
        }
        Ok(slot)
    }
    pub fn activate(
        &mut self,
        name: &str,
        secret: &[u8],
        slot_hint: Option<u32>,
    ) -> Fido2LuksResult<u32> {
        self.device
            .activate_handle()
            .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
            .map_err(LuksError::activate)
    }
    pub fn activate_token(
        &mut self,
        name: &str,
        secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
        slot_hint: Option<u32>,
    ) -> Fido2LuksResult<u32> {
        if !self.is_luks2()? {
            return Err(LuksError::Luks2Required.into());
        }
        let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
        for token in self.tokens()? {
            let token = match token {
                Ok((_id, t)) => t,
                _ => continue, // An corrupted token should't lock the user out
            };
            let slots = || {
                token
                    .keyslots
                    .iter()
                    .filter_map(|slot| slot.parse::<u32>().ok())
            };
            for cred in token.credential.iter() {
                creds
                    .entry(cred.clone())
                    .or_insert_with(|| slots().collect::<HashSet<u32>>())
                    .extend(slots());
            }
        }
        if creds.is_empty() {
            return Err(Fido2LuksError::LuksError {
                cause: LuksError::NoToken,
            });
        }
        let (secret, credential) = secret(creds.keys().cloned().collect())?;
        let empty;
        let slots = if let Some(slots) = creds.get(&credential) {
            slots
        } else {
            empty = HashSet::new();
            &empty
        };
        //Try slots associated with the credential used
        let slots = slots.iter().cloned().map(Option::Some).chain(
            std::iter::once(slot_hint) // Try slot hint if there is one
                .take(slot_hint.is_some() as usize)
                .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
        );
        for slot in slots {
            match self.activate(name, &secret, slot) {
                Err(Fido2LuksError::WrongSecret) => (),
                res => return res,
            }
        }
        Err(Fido2LuksError::WrongSecret)
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
-struct Fido2LuksToken {
+pub struct Fido2LuksToken {
    #[serde(rename = "type")]
-    type_: String,
+    pub type_: String,
-    credential: Vec<String>,
+    pub credential: HashSet<String>,
-    keyslots: Vec<String>,
+    pub keyslots: HashSet<String>,
 }
 impl Fido2LuksToken {
-    fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
+    pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
        Self::with_credentials(std::iter::once(credential_id), slot)
    }
    pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
        credentials: I,
        slot: u32,
    ) -> Self {
        Self {
-            type_: "fido2luks\0".into(), // Doubles as c style string
+            credential: credentials
-            credential: vec![hex::encode(credential_id)],
+                .into_iter()
-            keyslots: vec![slot.to_string()],
+                .map(|cred| hex::encode(cred.as_ref()))
                .collect(),
            keyslots: vec![slot.to_string()].into_iter().collect(),
            ..Default::default()
        }
    }
    pub fn default_type() -> &'static str {
        "fido2luks"
    }
 }
-pub fn open_container<P: AsRef<Path>>(
+impl Default for Fido2LuksToken {
-    path: P,
+    fn default() -> Self {
-    name: &str,
+        Self {
-    secret: &[u8],
+            type_: Self::default_type().into(),
-    slot_hint: Option<u32>,
+            credential: HashSet::new(),
-) -> Fido2LuksResult<()> {
+            keyslots: HashSet::new(),
    let mut device = load_device_handle(path)?;
    device
        .activate_handle()
        .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
        .map(|_slot| ())
        .map_err(|_e| Fido2LuksError::WrongSecret)
 }
 pub fn open_container_token<P: AsRef<Path>>(
    path: P,
    name: &str,
    secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
 ) -> Fido2LuksResult<()> {
    let mut device = load_device_handle(path)?;
    check_luks2(&mut device)?;
    let mut creds = HashMap::new();
    for i in 0..256 {
        let status = device.token_handle().status(i)?;
        match status {
            CryptTokenInfo::Inactive => break,
            CryptTokenInfo::Internal(s)
            | CryptTokenInfo::InternalUnknown(s)
            | CryptTokenInfo::ExternalUnknown(s)
            | CryptTokenInfo::External(s)
                if &s != "fido2luks" =>
            {
                continue
            }
            _ => (),
        };
        let json = device.token_handle().json_get(i)?;
        let info: Fido2LuksToken =
            serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
                cause: LuksError::InvalidToken(json.to_string()),
            })?;
        let slots = || {
            info.keyslots
                .iter()
                .filter_map(|slot| slot.parse::<u32>().ok())
        };
        for cred in info.credential.iter().cloned() {
            creds
                .entry(cred)
                .or_insert_with(|| slots().collect::<HashSet<u32>>())
                .extend(slots());
        }
    }
    if creds.is_empty() {
        return Err(Fido2LuksError::LuksError {
            cause: LuksError::NoToken,
        });
    }
    let (secret, credential) = secret(creds.keys().cloned().collect())?;
    let slots = creds.get(&credential).unwrap();
    let slots = slots
        .iter()
        .cloned()
        .map(Option::Some)
        .chain(std::iter::once(None).take(slots.is_empty() as usize));
    for slot in slots {
        match device
            .activate_handle()
            .activate_by_passphrase(Some(name), slot, &secret, CryptActivateFlags::empty())
            .map(|_slot| ())
            .map_err(LuksError::activate)
        {
            Err(Fido2LuksError::WrongSecret) => (),
            res => return res,
        }
    }
    Err(Fido2LuksError::WrongSecret)
 }
 pub fn add_key<P: AsRef<Path>>(
    path: P,
    secret: &[u8],
    old_secret: &[u8],
    iteration_time: Option<u64>,
    credential_id: Option<&[u8]>,
 ) -> Fido2LuksResult<u32> {
    let mut device = load_device_handle(path)?;
    if let Some(millis) = iteration_time {
        device.settings_handle().set_iteration_time(millis)
    }
    let slot = device
        .keyslot_handle()
        .add_by_passphrase(None, old_secret, secret)?;
    if let Some(id) = credential_id {
        /*  if let e @ Err(_) = check_luks2(&mut device) {
            //rollback
            device.keyslot_handle(Some(slot)).destroy()?;
            return e.map(|_| 0u32);
        }*/
        device.token_handle().json_set(TokenInput::AddToken(
            &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
        ))?;
    }
    Ok(slot)
 }
 fn find_token(
    device: &mut CryptDevice,
    slot: u32,
 ) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
    for i in 0..256 {
        let status = device.token_handle().status(i)?;
        match status {
            CryptTokenInfo::Inactive => break,
            CryptTokenInfo::Internal(s)
            | CryptTokenInfo::InternalUnknown(s)
            | CryptTokenInfo::ExternalUnknown(s)
            | CryptTokenInfo::External(s)
                if &s != "fido2luks" =>
            {
                continue
            }
            _ => (),
        };
        let json = device.token_handle().json_get(i)?;
        let info: Fido2LuksToken =
            serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
                cause: LuksError::InvalidToken(json.to_string()),
            })?;
        if info.keyslots.contains(&slot.to_string()) {
            return Ok(Some((i, info)));
        }
    }
    Ok(None)
 }
 pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
    let mut device = load_device_handle(path)?;
    let mut destroyed = 0;
    let mut tokens = Vec::new();
    for slot in 0..256 {
        match device.keyslot_handle().status(slot)? {
            KeyslotInfo::Inactive => continue,
            KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
                if let Ok(_) = check_luks2(&mut device) {
                    if let Some((token, _)) = find_token(&mut device, slot)? {
                        tokens.push(token);
                    }
                }
                device.keyslot_handle().destroy(slot)?;
                destroyed += 1;
            }
            KeyslotInfo::ActiveLast => break,
            _ => (),
        }
        if device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
            break;
        }
    }
    // Ensure indices stay valid
    tokens.sort();
    for token in tokens.iter().rev() {
        device
            .token_handle()
            .json_set(TokenInput::RemoveToken(*token))?;
    }
    Ok(destroyed)
 }
 pub fn replace_key<P: AsRef<Path>>(
    path: P,
    secret: &[u8],
    old_secret: &[u8],
    iteration_time: Option<u64>,
    credential_id: Option<&[u8]>,
 ) -> Fido2LuksResult<u32> {
    let mut device = load_device_handle(path)?;
    // Set iteration time not sure wether this applies to luks2 as well
    if let Some(millis) = iteration_time {
        device.settings_handle().set_iteration_time(millis)
    }
    let slot = device
        .keyslot_handle()
        .change_by_passphrase(None, None, old_secret, secret)? as u32;
    if let Some(id) = credential_id {
        if check_luks2(&mut device).is_ok() {
            let token = find_token(&mut device, slot)?.map(|(t, _)| t);
            if let Some(token) = token {
                device.token_handle().json_set(TokenInput::ReplaceToken(
                    token,
                    &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
                ))?;
            }
        }
    }
    Ok(slot)
 }
--- a/src/main.rs
+++ b/src/main.rs
@@ -4,15 +4,13 @@ extern crate ctap_hmac as ctap;
 #[macro_use]
 extern crate serde_derive;
 use crate::cli::*;
 use crate::config::*;
 use crate::device::*;
 use crate::error::*;
 use std::io;
 use std::path::PathBuf;
 use std::process::exit;
 mod cli;
-mod config;
+pub mod cli_args;
 mod device;
 mod error;
 mod luks;
@@ -21,10 +19,7 @@ mod util;
 fn main() -> Fido2LuksResult<()> {
    match run_cli() {
        Err(e) => {
            #[cfg(debug_assertions)]
            eprintln!("{:?}", e);
            #[cfg(not(debug_assertions))]
            eprintln!("{}", e);
            exit(e.exit_code())
        }
        _ => exit(0),
Author	SHA1	Message	Date
shimun	b3495c45f3	add nix flake	2021-02-08 16:06:56 +01:00
shimunn	17ca487b85	Obvious password promt (#29 ) * obvious password promt * prompt interaction with FIDO device	2021-02-08 15:58:41 +01:00
shimun	b0404f2fc1	minimum YubiKey firmware version Some checks reported errors continuous-integration/drone/push Build encountered an error Details	2020-11-17 13:05:45 +01:00
shimunn	de21e3ef8d	Merge pull request #21 from aacebedo/master Added an helper script to be used with pam_mount	2020-11-01 21:18:13 +01:00
Alexandre ACEBEDO	8a7b3addbb	Added an helper script to be used with pam_mount	2020-11-01 18:21:04 +01:00
shimun	e7e44cd61b	fix test All checks were successful continuous-integration/drone/push Build is passing Details	2020-10-13 14:17:22 +02:00
shimun	0ec859f4a6	remove trailing newline from pin Some checks failed continuous-integration/drone/push Build is failing Details	2020-09-25 12:40:34 +02:00
shimun	55bae4161e	add credentials situated in the luks header to credential list Some checks failed continuous-integration/drone/push Build is failing Details	2020-09-19 18:23:21 +02:00
shimun	086c1a0594	file path must be relative to src Some checks failed continuous-integration/drone/push Build is failing Details	2020-09-05 19:35:36 +02:00
shimun	c2e38eb06f	generate shell completions during build Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is failing Details	2020-09-05 18:52:07 +02:00
shimun	03ef5721e0	bump version All checks were successful continuous-integration/drone/tag Build is passing Details continuous-integration/drone/push Build is passing Details	2020-09-03 14:56:36 +02:00
shimun	008e644024	auto detect current version	2020-09-03 14:56:22 +02:00
shimun	e1f762ddc9	add subcommand to generate bash completions All checks were successful continuous-integration/drone/push Build is passing Details	2020-09-03 14:45:52 +02:00
Saravanan Palanisamy	2266754a95	create PKGBUILD file for archlinux package (#17 ) Some checks reported errors continuous-integration/drone/push Build encountered an error Details * create PKGBUILD file * use build & install method * add package dependencies	2020-09-02 14:14:40 +02:00
shimun	8811cff6d1	0.2.12 All checks were successful continuous-integration/drone/tag Build is passing Details	2020-08-31 00:04:24 +02:00
shimun	99787b614c	Merge branch 'pin_source' into master Some checks reported errors continuous-integration/drone/push Build encountered an error Details	2020-08-31 00:00:42 +02:00
shimun	ee28f87148	always print the full error message All checks were successful continuous-integration/drone/push Build is passing Details	2020-08-30 17:09:57 +02:00
shimun	196356fe3b	structopt does not allow for flags to be linked to env atm	2020-08-25 21:47:25 +02:00
shimun	3ff7e698bd	add flag to read pin from alternate source Some checks reported errors continuous-integration/drone/push Build encountered an error Details	2020-08-25 21:26:30 +02:00
shimun	04d0d60fb3	use ubuntu as base image Some checks reported errors continuous-integration/drone/tag Build is passing Details continuous-integration/drone/push Build was killed Details	2020-08-16 15:30:20 +02:00
shimun	e64f777c54	use sh to run password helper	2020-08-16 13:42:54 +02:00
shimun	8465949b44	spell promPt correctly	2020-08-16 13:42:35 +02:00
shimunn	06bed03e7b	Merge pull request #13 from Andrew-Finn/master Added documentation and tweaked readme	2020-08-14 12:40:02 +02:00
Andrew-Finn	36f82e7c3a	Added and edited documentation	2020-08-14 11:36:25 +01:00
shimun	cd90564f60	protect fido2luks.conf from being overwritten Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is failing Details	2020-08-11 23:08:12 +02:00
shimun	0f6d79a7e4	get plymouth to display a message Some checks failed continuous-integration/drone/push Build is failing Details	2020-08-11 22:41:21 +02:00
shimun	4136b1bfad	relicense to MPL Some checks failed continuous-integration/drone/push Build is failing Details	2020-07-27 09:22:02 +02:00
shimun	81016a1a42	require MPL for new contributions Some checks failed continuous-integration/drone/push Build is failing Details	2020-07-26 21:11:03 +02:00
shimun	840868468b	cargo-deb meta All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-04 21:32:21 +02:00
shimun	97880e4f41	refuse removal while crypttab depends on keyscript All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 16:21:35 +02:00
shimun	e798ba5c70	remove keyscript aswell All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 15:59:12 +02:00
shimun	298e05fed7	initramfs-tools All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 15:55:23 +02:00
shimun	a498e1416f	automate cargo publish Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is failing Details	2020-06-23 23:55:07 +02:00
shimun	92e413de50	refactored luks operations All checks were successful continuous-integration/drone/push Build is passing Details	2020-06-22 20:47:19 +00:00
shimun	023399bb14	use unstable cryptsetup Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-22 18:17:10 +02:00
shimun	a53a430c23	update drone Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-21 22:16:45 +02:00
shimun	5f107cd337	add non existing token Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-19 20:09:36 +02:00
shimun	ddfd24a098	ensure replace_key uses the same slot	2020-06-19 20:05:05 +02:00
shimun	743edf668a	document --token	2020-06-13 14:35:46 +02:00