chore: update flake.lock

flake.lock: Update
Flake input changes: * Updated 'naersk': 'github:nmattia/naersk/6e149bfd726a8ebefa415f2d713ba6d942435abd' -> 'github:nmattia/naersk/df71f5e4babda41cd919a8684b72218e2e809fa9' * Updated 'nixpkgs': 'github:NixOS/nixpkgs/2118cf551b9944cfdb929b8ea03556f097dd0381' -> 'github:NixOS/nixpkgs/01ee7961039dabf15caca202c3416451e5290ff4' * Updated 'utils': 'github:numtide/flake-utils/3982c9903e93927c2164caa727cd3f6a0e6d14cc' -> 'github:numtide/flake-utils/997f7efcb746a9c140ce1f13c72263189225f482'
2021-12-11 11:43:25 +01:00 · 2021-09-05 16:11:04 +02:00 · 2021-07-28 19:27:42 +02:00 · 2021-07-28 13:19:25 +02:00 · 2021-07-26 18:46:10 +02:00 · 2021-07-16 19:08:23 +02:00
35 changed files with 3699 additions and 1522 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -3,32 +3,25 @@ name: default
 steps:
 - name: fmt
-   image: rust:1.37.0
+   image: rust:1.43.0
   commands:
-     -  rustup component add rustfmt
+     - rustup component add rustfmt
-     -  cargo fmt --all -- --check
+     - cargo fmt --all -- --check
 - name: test
-   image: rust:1.37.0
+   image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
   environment:
    DEBIAN_FRONTEND: noninteractive
   commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - cargo test --locked
-    - cargo test
+ - name: publish
-
+   image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
- - name: build
+   environment:
-   image: rust:1.37.0
+    DEBIAN_FRONTEND: noninteractive
    CARGO_REGISTRY_TOKEN:
     from_secret: cargo_tkn
   commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-    - cargo install -f --path . --root .
+    - cargo package --all-features --allow-dirty
    - cargo publish --all-features --allow-dirty
   when:
    event: tag
 - name: publish
   image: plugins/github-release
   settings:
     api_key:
      from_secret: github_release
     files:
      - bin/fido2luks
     checksum:
      - md5
      - sha256
   when:
    event: tag    
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,9 @@
 **/*.rs.bk
 .idea/
 *.iml
 fido2luks.bash
 fido2luks.elv
 fido2luks.fish
 fido2luks.zsh
 result
 result-*
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -0,0 +1,11 @@
 ## 0.3.0
 * LUKS2 Tokens are now supported by every subcommand
 * `<credential>` has been converted into the flag `--creds`  
 credentials provided by `--creds` will be supplemented from the LUKS header unless this is disabled by `--disable-token`
 * `fido2luks add-key` will take an `--auto-cred` flag which allows for credentials to be generated and stored without having to use `fido2luks credential`  
 `fido2luks replace-key` will allow for credentials to be removed using the `--remove-cred` flag respectively 
 * Removed `fido2luks open-token` subcommand  
  `fido2luks open` now fulfills both functions
 * Added `fido2luks open --dry-run` flag, to perform the whole procedure apart from mounting the LUKS volume
 * Added an `--verbose` flag to display additional information like credentials and keyslots used if desired
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.4"
+version = "0.3.0"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
@@ -11,18 +11,28 @@ repository = "https://github.com/shimunn/fido2luks"
 readme = "README.md"
 keywords = ["luks", "fido2", "u2f"]
 categories = ["command-line-utilities"]
-license-file = "LICENSE"
+license = "MPL-2.0"
 [dependencies]
-ctap_hmac = "0.2.1"
+ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
 hex = "0.3.2"
 ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"
-libcryptsetup-rs = "0.2.0"
+libcryptsetup-rs = "0.4.2"
 serde_json = "1.0.51"
 serde_derive = "1.0.116"
 serde = "1.0.116"
 [build-dependencies]
 ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
 hex = "0.3.2"
 ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 libcryptsetup-rs = "0.4.1"
 structopt = "0.3.2"
 [profile.release]
 lto = true
@@ -30,3 +40,16 @@ opt-level = 'z'
 panic = 'abort'
 incremental = false
 overflow-checks = false
 [package.metadata.deb]
 depends = "$auto, cryptsetup"
 build-depends = "libclang-dev, libcryptsetup-dev"
 extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 assets = [
    ["target/release/fido2luks", "usr/bin/", "755"],
    ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
 ]
 conf-files = ["/etc/fido2luks.conf"]
--- a/1047
+++ b/1047
--- a/37
+++ b/37
@@ -0,0 +1,37 @@
 # Maintainer: shimunn <shimun@shimun.net>
 pkgname=fido2luks-git
 pkgver=0.2.16.7e6b33a
 pkgrel=1
 makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git')
 depends=('cryptsetup')
 arch=('i686' 'x86_64' 'armv6h' 'armv7h')
 pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 url="https://github.com/shimunn/fido2luks"
 license=('MPL-2.0')
 source=('git+https://github.com/shimunn/fido2luks')
 sha512sums=('SKIP')
 pkgver() {
    cd fido2luks
    # Use tag version if possible otherwise concat project version and git ref
    git describe --exact-match --tags HEAD 2>/dev/null ||
        echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
 }
 build() {
    cd fido2luks
    cargo build --release --locked --all-features --target-dir=target
 }
 package() {
    cd fido2luks
    install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin"
    install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
    install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks"
    install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install"
    install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
    install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d"
 }
--- a/README.md
+++ b/README.md
@@ -1,15 +1,15 @@
 # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
-This will allow you to unlock your luks encrypted disk with an fido2 compatible key
+This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
-Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
 ## Setup
 ### Prerequisites
 ```
-dnf install cargo cryptsetup-devel -y
+dnf install clang cargo cryptsetup-devel -y
 ```
 ### Device
@@ -30,6 +30,8 @@ set -a
 . /etc/fido2luks.conf
 # Repeat for each luks volume
 # You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
 # enabling you to use `fido2luks open-token` without passing a credential as parameter
 sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 # Test(only works if the luks container isn't active)
@@ -63,7 +65,7 @@ cp /usr/bin/fido2luks /boot/fido2luks/
 cp /etc/fido2luks.conf /boot/fido2luks/
 ```
-## Test
+## Testing
 Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
@@ -71,6 +73,8 @@ Just reboot and see if it works, if that's the case you should remove your old l
 # Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
 # There is no turning back if you mess this up, make sure you made a backup
 # You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
 # which will enable you to use `fido2luks open-token` without passing a credential as parameter
 fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 ```
@@ -92,6 +96,13 @@ set -a
 Then add the new secret to each device and update dracut afterwards `dracut -f`
 ### Multiple keys
 Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
 ```
 FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
 ```
 ## Removal
 Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
@@ -103,3 +114,47 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
 ## Theory of operation
 fido2luks builds on two basic building blocks, LUKS as an abstraction over linux disk encryption and and the FIDO2 extension [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension).
 The `hmac-secret` extension allows for an secret to be dervied on the FIDO2 device from two inputs, the user supplied salt/password/keyfile and another secret contained within the FID2 device. The output of the `hmac-secret` function will then be used to decrypt the LUKS header which in turn is used to decrypt the disk.
 ```
        +-------------------------------------------------------------------------------+
        |                                                                               |
        |                       +-----------------------------------------+             |
        |                       |               FIDO2 device              |             |
        |                       |                                         |             |
        |                       |                                         |             |
 +-------+--------+   +------+   |                      +---------------+  |             |             +------------------------+
 | Salt/Password  +-> |sha256+------------------------> |               |  |             v             |      LUKS header       |
 +----------------+   +------+   |                      |               |  |                           |                        |           +---------------+   
                                |                      |               |  |        +--------+         +------------------------+-------->  |Disk master key| 
                                |                      |  sha256_hmac  +---------> | sha256 +-------> | Keyslot 1              |           +---------------+ 
 +----------------+              |  +----------+        |               |  |        +--------+         +------------------------+
 | FIDO credential+---------------> |Credential| +----> |               |  |                           | Keyslot 2              |
 +----------------+              |  |secret    |        |               |  |                           +------------------------+
                                |  +----------+        +---------------+  |
                                |                                         |
                                |                                         |
                                +-----------------------------------------+
 ```
 Since all these components build upon each other losing or damaging just one of them will render the disk undecryptable, it's threfore of paramount importance to backup the LUKS header and ideally set an backup password
 or utilise more than one FIDO2 device. Each additional credential and password combination will require it's own LUKS keyslot since the credential secret is randomly generated for each new credential and will thus result
 in a completly different secret.
 ## License
 Licensed under
 * Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
 ### Contribution
 Unless you explicitly state otherwise, any contribution intentionally
 submitted for inclusion in the work by you, as defined in the MPL 2.0
 license, shall be licensed as above, without any additional terms or
 conditions.
--- a/README_NEW.md
+++ b/README_NEW.md
@@ -0,0 +1,79 @@
 # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
 This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
 Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
 ## Installation
 ### From Source
 Installing from source requires the following dependencies:
 Ubuntu: `cargo, libclang-dev, libcryptsetup-dev >= 2.2`
 Fedora: `cargo, clang-devel, cryptsetup-devel`
 To compile the fido2luks binary you can simply run `sudo cargo install --root /usr fido2luks` but since you may want to install the scripts included it this repo as well,
 it's recommended to clone the repo and install from there.
 ``
 git clone https://github.com/shimunn/fido2luks.git
 cargo install --root /usr --path fido2luks
 ``
 Continue with further instructions for [Ubuntu](initramfs-tools) or [Fedora](dracut)
 ### From Package
 Ubuntu: see [releases](https://github.com/shimunn/fido2luks/releases)
 NixOS: https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2
 ArchLinux: 
 * [AUR](https://aur.archlinux.org/packages/fido2luks/)
 * [Git](PKGBUILD)
 Fedora: coming soon
 ## Credentials
 Depending on the version of cryptsetup and the age of your installation your LUKS header might be in the LUKS2 format already if that's the case fido2luks will be able to spare you from dealing with just another config file by simply storeing all the required information within your LUKS header. 
 If your header is still using the LUKS1 format you may convert it:
 ```
 cryptsetup convert --type luks2 <device>
 ```
 if you want to keep using LUKS1 due to other software such as pam_mount not being compatible with LUKS2 at the moment, you will have to generate credentials by hand an add them to `/etc/fido2luks.conf` otherwise you can skip this step.
 ```
 fido2luks credential [optional name]
 ```
 the generated hexadecimal credential can then be added to `FIDO2LUKS_CREDENTIAL_ID=` in `/etc/fido2luks.conf` multiple credentials can be separated by comma.
 ## Adding a Key
 If you had to generate a credential in the previous step you'll have to provide it to the following commands as a parameter or via an environment variable:
 ```
 set -a
 . /etc/fido2luks.conf
 ```
 To then add the key you need to have your current password/keyfile ready:
 without having generated a credential in the previous step: `fido2luks -i add-key --gen-cred <device>`
 with a keyfile: `fido2luks -i add-key --keyfile <path-to-keyfile <device>`
 if you've confirmed at a later stage that everything works as expected you may want to remove your keyfile/password by running the previous commands with the `--exclusive` flag which will remove all other keys from the device.
 ## Replacing a Key
 with password: `fido2luks -i replace-key <device>`
 with keyfile: `fido2luks -i replace-key -d <path-to-keyfile> <device>`
 with another fido2 derived key: `fido2luks -i replace-key -f <device>`
--- a/build.rs
+++ b/build.rs
@@ -0,0 +1,28 @@
 #![allow(warnings)]
 #[macro_use]
 extern crate failure;
 extern crate ctap_hmac as ctap;
 #[path = "src/cli_args/mod.rs"]
 mod cli_args;
 #[path = "src/error.rs"]
 mod error;
 #[path = "src/util.rs"]
 mod util;
 use cli_args::Args;
 use std::env;
 use std::str::FromStr;
 use structopt::clap::Shell;
 use structopt::StructOpt;
 fn main() {
    // generate completion scripts, zsh does panic for some reason
    for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
        Args::clap().gen_completions(
            env!("CARGO_PKG_NAME"),
            Shell::from_str(shell).unwrap(),
            env!("CARGO_MANIFEST_DIR"),
        );
    }
 }
--- a/flake.lock
+++ b/flake.lock
@@ -0,0 +1,62 @@
 {
  "nodes": {
    "naersk": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1639051343,
        "narHash": "sha256-62qARP+5Q0GmudcpuQHJP3/yXIgmUVoHR4orD/+FAC4=",
        "owner": "nmattia",
        "repo": "naersk",
        "rev": "ebde51ec0eec82dc71eaca03bc24cf8eb44a3d74",
        "type": "github"
      },
      "original": {
        "owner": "nmattia",
        "repo": "naersk",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1638109994,
        "narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a284564b7f75ac4db73607db02076e8da9d42c9d",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "type": "indirect"
      }
    },
    "root": {
      "inputs": {
        "naersk": "naersk",
        "nixpkgs": "nixpkgs",
        "utils": "utils"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1638122382,
        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@@ -0,0 +1,63 @@
 {
  description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
  inputs = {
    utils.url = "github:numtide/flake-utils";
    naersk = {
      url = "github:nmattia/naersk";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, utils, naersk }:
    let
      root = ./.;
      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
      forPkgs = pkgs:
        let
          naersk-lib = naersk.lib."${pkgs.system}";
          buildInputs = with pkgs; [ cryptsetup ];
          LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
          nativeBuildInputs = with pkgs; [
            pkgconfig
            clang
          ];
        in
        rec {
          # `nix build`
          packages.${pname} = naersk-lib.buildPackage {
            inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
          };
          defaultPackage = packages.${pname};
          # `nix run`
          apps.${pname} = utils.lib.mkApp {
            drv = packages.${pname};
          };
          defaultApp = apps.${pname};
          # `nix flake check`
          checks = {
            fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
              cd ${root}
              cargo fmt -- --check
              nixpkgs-fmt --check *.nix
              touch $out
            '';
          };
          hydraJobs = checks // packages;
          # `nix develop`
          devShell = pkgs.mkShell {
            nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
            inherit buildInputs LIBCLANG_PATH;
          };
        };
      forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
    in
    (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
      overlay = final: prev: (forPkgs final).packages;
    };
 }
--- a/initcpio/Makefile
+++ b/initcpio/Makefile
@@ -0,0 +1,18 @@
 .PHONY: install remove
 install:
 	install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks
 	install -Dm644 install/fido2luks -t /usr/lib/initcpio/install
 ifdef preset
 	mkinitcpio -p $(preset)
 else
 	mkinitcpio -P
 endif
 remove:
 	rm /usr/lib/initcpio/{hooks,install}/fido2luks
 ifdef preset
 	mkinitcpio -p $(preset)
 else
 	mkinitcpio -P
 endif
--- a/initcpio/README.md
+++ b/initcpio/README.md
@@ -0,0 +1,52 @@
 ## fido2luks hook for mkinitcpio (ArchLinux and derivatives)
 > ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage
 ### Setup
 1. Connect your FIDO2 authenticator
 2. Generate credential id
 ```shell
 fido2luks credential
 ```
 3. Generate salt (random string)
 ```shell
 pwgen 48 1
 ```
 4. Add key to your LUKS2 device
 ```shell
 fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
 ```
 `-P` - request PIN to unlock the authenticator  
 `-t` - add token (including credential id) to the LUKS2 header  
 `-e` - wipe all other keys  
 For the full list of options see `fido2luks add-key --help`
 5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf)
 Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of
 ```shell
 cryptsetup luksDump <block_device>
 ```
 6. Add fido2luks hook to /etc/mkinitcpio.conf
 Before or instead of `encrypt` hook, for example:
 ```shell
 HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
 ```
 7. Recreate initial ramdisk
 ```shell
 mkinitcpio -p <preset>
 ```
--- a/initcpio/fido2luks.conf
+++ b/initcpio/fido2luks.conf
@@ -0,0 +1,18 @@
 # Set credential *ONLY IF* it's not embedded in the LUKS2 header
 FIDO2LUKS_CREDENTIAL_ID=
 # Encrypted device and its name under /dev/mapper
 # Can be overridden by `cryptdevice` kernel parameter
 FIDO2LUKS_DEVICE=
 FIDO2LUKS_MAPPER_NAME=
 FIDO2LUKS_SALT=string:<salt>
 # Use specific keyslot (ignore all other slots)
 FIDO2LUKS_DEVICE_SLOT=
 # Await for an authenticator to be connected (in seconds)
 FIDO2LUKS_DEVICE_AWAIT=
 # Set to 1 if PIN is required to unlock the authenticator
 FIDO2LUKS_ASK_PIN=
--- a/initcpio/hooks/fido2luks
+++ b/initcpio/hooks/fido2luks
@@ -0,0 +1,55 @@
 #!/usr/bin/ash
 run_hook() {
    modprobe -a -q dm-crypt >/dev/null 2>&1
    . /etc/fido2luks.conf
    if [ -z "$cryptdevice" ]; then
        device="$FIDO2LUKS_DEVICE"
        dmname="$FIDO2LUKS_MAPPER_NAME"
    else
        IFS=: read cryptdev dmname _cryptoptions <<EOF
 $cryptdevice
 EOF
        if ! device=$(resolve_device "${cryptdev}" ${rootdelay}); then
            return 1
        fi
    fi
    options="--salt $FIDO2LUKS_SALT"
    if [ "$FIDO2LUKS_ASK_PIN" == 1 ]; then
        options="$options --pin"
    fi
    if [ -n "$FIDO2LUKS_DEVICE_SLOT" ]; then
        options="$options --slot $FIDO2LUKS_DEVICE_SLOT"
    fi
    if [ -n "$FIDO2LUKS_DEVICE_AWAIT" ]; then
        options="$options --await-dev $FIDO2LUKS_DEVICE_AWAIT"
    fi
    # HACK: /dev/tty is hardcoded in rpassword, but not accessible from the ramdisk
    # Temporary link it to /dev/tty1
    mv /dev/tty /dev/tty.back
    ln -s /dev/tty1 /dev/tty
    printf "\nAuthentication is required to access the $dmname volume at $device\n"
    if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ]; then
        fido2luks open-token $device $dmname $options
    else
        fido2luks open $device $dmname $FIDO2LUKS_CREDENTIAL_ID $options
    fi
    exit_code=$?
    # Restore /dev/tty
    mv /dev/tty.back /dev/tty
    if [ $exit_code -ne 0 ]; then
        printf '\n'
        read -s -p 'Press Enter to continue'
        printf '\n'
    fi
 }
--- a/initcpio/install/fido2luks
+++ b/initcpio/install/fido2luks
@@ -0,0 +1,31 @@
 #!/bin/bash
 build() {
    local mod
    add_module dm-crypt
    add_module dm-integrity
    if [[ $CRYPTO_MODULES ]]; then
        for mod in $CRYPTO_MODULES; do
            add_module "$mod"
        done
    else
        add_all_modules /crypto/
    fi
    add_binary fido2luks
    add_binary dmsetup
    add_file /usr/lib/udev/rules.d/10-dm.rules
    add_file /usr/lib/udev/rules.d/13-dm-disk.rules
    add_file /usr/lib/udev/rules.d/95-dm-notify.rules
    add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
    add_file /etc/fido2luks.conf /etc/fido2luks.conf
    add_runscript
 }
 help() {
    cat <<HELPEOF
 This hook allows to decrypt LUKS2 partition using FIDO2 compatible authenticator
 HELPEOF
 }
--- a/initramfs-tools/Dockerfile
+++ b/initramfs-tools/Dockerfile
@@ -0,0 +1,15 @@
 FROM rust:bullseye
 RUN cargo install -f cargo-deb --debug --version 1.30.0
 ARG DEBIAN_FRONTEND=noninteractive
 RUN apt update && apt install -y cryptsetup pkg-config libclang-dev libcryptsetup-dev && mkdir -p /build/fido2luks
 WORKDIR /build/fido2luks
 ENV CARGO_TARGET_DIR=/build/fido2luks/target
 RUN cargo install fido2luks -f
 CMD bash -xc 'cp -rf /code/* /build/fido2luks && cargo-deb && cp target/debian/*.deb /out'
--- a/initramfs-tools/Makefile
+++ b/initramfs-tools/Makefile
@@ -0,0 +1,11 @@
 .PHONY: install
 install:
 	chmod +x hook/fido2luks.sh keyscript.sh
 	cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
 	mkdir -p /usr/share/fido2luks
 	cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
 	update-initramfs -u
 remove:
 	sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
 	rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
 	update-initramfs -u
--- a/initramfs-tools/README.md
+++ b/initramfs-tools/README.md
@@ -0,0 +1,34 @@
 ## Initramfs-tools based systems(Ubuntu and derivatives)
 For easiest installation [download and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases). However it is possible to build from source via the instructions on the main readme.
 ```
 sudo -s
 # Insert FIDO key.
 fido2luks credential
 # Tap FIDO key
 # Copy returned string <CREDENTIAL>
 nano /etc/fido2luks.conf
 # Insert <CREDENTIAL> 
 # FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL> 
 set -a
 . /etc/fido2luks.conf
 fido2luks -i add-key /dev/<LUKS PARTITION>
 # Current password: <Any current LUKS password>
 # Password: <Password used as FIDO challange>
 # Tap FIDO key
 nano /etc/crypttab
 # Append to end ",discard,initramfs,keyscript=fido2luks"
 # E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks
 update-initramfs -u
 ```
 [Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
--- a/initramfs-tools/build-deb.sh
+++ b/initramfs-tools/build-deb.sh
@@ -0,0 +1,9 @@
 #!/usr/bin/env bash
 set -ex
 docker build . -t fido2luks-deb
 mkdir -p debs
 docker run -ti -v "$(pwd)/..:/code:ro" -v "$(pwd)/debs:/out" fido2luks-deb
--- a/initramfs-tools/fido2luks.conf
+++ b/initramfs-tools/fido2luks.conf
@@ -0,0 +1,3 @@
 FIDO2LUKS_SALT=Ask
 #FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
 FIDO2LUKS_CREDENTIAL_ID=
--- a/initramfs-tools/hook/fido2luks.sh
+++ b/initramfs-tools/hook/fido2luks.sh
@@ -0,0 +1,14 @@
 #!/bin/sh
 case "$1" in
 prereqs)
 	echo ""
 	exit 0
 	;;
 esac
 . /usr/share/initramfs-tools/hook-functions
 copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
 copy_exec /usr/bin/fido2luks
 exit 0
--- a/initramfs-tools/keyscript.sh
+++ b/initramfs-tools/keyscript.sh
@@ -0,0 +1,10 @@
 #!/bin/sh
 set -a
 . /etc/fido2luks.conf
 if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
 	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
 	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
 fi
 fido2luks print-secret --bin "$CRYPTTAB_SOURCE" $([ "$FIDO2LUKS_USE_TOKEN" -eq 0 ] && printf "--disable-token")
--- a/initramfs-tools/setup.svg
+++ b/initramfs-tools/setup.svg
--- a/pam_mount/fido2luksmounthelper.sh
+++ b/pam_mount/fido2luksmounthelper.sh
@@ -0,0 +1,220 @@
 #!/bin/bash
 #
 # This is a rather minimal example Argbash potential
 # Example taken from http://argbash.readthedocs.io/en/stable/example.html
 #
 # ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
 # ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
 # ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
 # ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
 # ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
 # ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
 # ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
 # ARGBASH_GO()
 # needed because of Argbash --> m4_ignore([
 ### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
 # Argbash is a bash code generator used to get arguments parsing right.
 # Argbash is FREE SOFTWARE, see https://argbash.io for more info
 # Generated online by https://argbash.io/generate
 die()
 {
 	local _ret="${2:-1}"
 	test "${_PRINT_HELP:-no}" = yes && print_help >&2
 	echo "$1" >&2
 	exit "${_ret}"
 }
 begins_with_short_option()
 {
 	local first_option all_short_options='cdmash'
 	first_option="${1:0:1}"
 	test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
 }
 # THE DEFAULTS INITIALIZATION - POSITIONALS
 _positionals=()
 # THE DEFAULTS INITIALIZATION - OPTIONALS
 _arg_credentials_type=
 _arg_device=
 _arg_mount_point=
 _arg_ask_pin="off"
 _arg_salt=""
 print_help()
 {
 	printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
 	printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
 	printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
 	printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
 	printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
 	printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
 	printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
 	printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
 	printf '\t%s\n' "-h, --help: Prints help"
 }
 parse_commandline()
 {
 	_positionals_count=0
 	while test $# -gt 0
 	do
 		_key="$1"
 		case "$_key" in
 			-c|--credentials-type)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_credentials_type="$2"
 				shift
 				;;
 			--credentials-type=*)
 				_arg_credentials_type="${_key##--credentials-type=}"
 				;;
 			-c*)
 				_arg_credentials_type="${_key##-c}"
 				;;
 			-d|--device)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_device="$2"
 				shift
 				;;
 			--device=*)
 				_arg_device="${_key##--device=}"
 				;;
 			-d*)
 				_arg_device="${_key##-d}"
 				;;
 			-m|--mount-point)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_mount_point="$2"
 				shift
 				;;
 			--mount-point=*)
 				_arg_mount_point="${_key##--mount-point=}"
 				;;
 			-m*)
 				_arg_mount_point="${_key##-m}"
 				;;
 			-a|--no-ask-pin|--ask-pin)
 				_arg_ask_pin="on"
 				test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
 				;;
 			-a*)
 				_arg_ask_pin="on"
 				_next="${_key##-a}"
 				if test -n "$_next" -a "$_next" != "$_key"
 				then
 					{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
 				fi
 				;;
 			-s|--salt)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_salt="$2"
 				shift
 				;;
 			--salt=*)
 				_arg_salt="${_key##--salt=}"
 				;;
 			-s*)
 				_arg_salt="${_key##-s}"
 				;;
 			-h|--help)
 				print_help
 				exit 0
 				;;
 			-h*)
 				print_help
 				exit 0
 				;;
 			*)
 				_last_positional="$1"
 				_positionals+=("$_last_positional")
 				_positionals_count=$((_positionals_count + 1))
 				;;
 		esac
 		shift
 	done
 }
 handle_passed_args_count()
 {
 	local _required_args_string="'operation'"
 	test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
 	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
 }
 assign_positional_args()
 {
 	local _positional_name _shift_for=$1
 	_positional_names="_arg_operation "
 	shift "$_shift_for"
 	for _positional_name in ${_positional_names}
 	do
 		test $# -gt 0 || break
 		eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
 		shift
 	done
 }
 parse_commandline "$@"
 handle_passed_args_count
 assign_positional_args 1 "${_positionals[@]}"
 # OTHER STUFF GENERATED BY Argbash
 ### END OF CODE GENERATED BY Argbash (sortof) ### ])
 # [ <-- needed because of Argbash
 if [ -z ${_arg_mount_point} ]; then
  die "Missing '--mount-point' argument"
 fi
 if [ -z ${_arg_device} ]; then
  die "Missing '--device' argument"
 fi
 ASK_PIN=${_arg_ask_pin}
 OPERATION=${_arg_operation}
 DEVICE=${_arg_device}
 DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
 MOUNT_POINT=${_arg_mount_point}
 CREDENTIALS_TYPE=${_arg_credentials_type}
 SALT=${_arg_salt}
 CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
 if [ "${OPERATION}" == "mount" ]; then
 	if [ "${CREDENTIALS_TYPE}" == "external" ]; then
    if  [ -f ${CONF_FILE_PATH} ]; then
 			if [ "${ASK_PIN}" == "on" ]; then
 				read PASSWORD
 			fi
 			CREDENTIALS=$(<${CONF_FILE_PATH})
 		else
 			die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
 		fi
 		printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
 	elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
 		if [ "${ASK_PIN}" == "on" ]; then
 			read PASSWORD
 		fi
 		printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
 	else
 		die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
 	fi 
 	mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
 elif [ "${OPERATION}" == "umount" ]; then
  umount ${MOUNT_POINT}
  cryptsetup luksClose ${DEVICE_NAME}
 else
  die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
 fi
 exit 0
 # ] <-- needed because of Argbash
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -1,273 +1,515 @@
 use crate::error::*;
-use crate::luks;
+use crate::luks::{Fido2LuksToken, LuksDevice};
 use crate::util::sha256;
 use crate::*;
-
+pub use cli_args::Args;
 use cli_args::*;
 use ctap::{FidoCredential, FidoErrorKind};
 use std::borrow::Cow;
 use std::collections::HashSet;
 use std::io::Write;
 use std::iter::FromIterator;
 use std::path::Path;
 use std::str::FromStr;
 use std::thread;
 use std::time::Duration;
 use std::time::SystemTime;
 use structopt::clap::Shell;
 use structopt::StructOpt;
-use failure::_core::fmt::{Error, Formatter};
+fn read_pin() -> Fido2LuksResult<String> {
-use failure::_core::str::FromStr;
+    util::read_password_tty("Authenticator PIN", false)
-use failure::_core::time::Duration;
+}
 use std::io::Write;
-use std::process::exit;
+fn derive_secret(
-use std::thread;
+    credentials: &[HexEncoded],
-
+    salt: &[u8; 32],
-use std::time::SystemTime;
+    timeout: u64,
-#[derive(Debug, Eq, PartialEq, Clone)]
+    pin: Option<&str>,
-pub struct HexEncoded(Vec<u8>);
+) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
-
+    if credentials.is_empty() {
-impl std::fmt::Display for HexEncoded {
+        return Err(Fido2LuksError::InsufficientCredentials);
    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
        f.write_str(&hex::encode(&self.0))
    }
-}
+    let timeout = Duration::from_secs(timeout);
    let start = SystemTime::now();
-impl FromStr for HexEncoded {
+    while let Ok(el) = start.elapsed() {
-    type Err = hex::FromHexError;
+        if el > timeout {
-
+            return Err(error::Fido2LuksError::NoAuthenticatorError);
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Ok(HexEncoded(hex::decode(s)?))
    }
 }
 #[derive(Debug, StructOpt)]
 pub struct Args {
    /// Request passwords via Stdin instead of using the password helper
    #[structopt(short = "i", long = "interactive")]
    pub interactive: bool,
    #[structopt(subcommand)]
    pub command: Command,
 }
 #[derive(Debug, StructOpt, Clone)]
 pub struct SecretGeneration {
    /// FIDO credential id, generate using fido2luks credential
    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
    pub credential_id: HexEncoded,
    /// Salt for secret generation, defaults to 'ask'
    ///
    /// Options:{n}
    ///  - ask              : Prompt user using password helper{n}
    ///  - file:<PATH>      : Will read <FILE>{n}
    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
    #[structopt(
        name = "salt",
        long = "salt",
        env = "FIDO2LUKS_SALT",
        default_value = "ask"
    )]
    pub salt: InputSalt,
    /// Script used to obtain passwords, overridden by --interactive flag
    #[structopt(
        name = "password-helper",
        env = "FIDO2LUKS_PASSWORD_HELPER",
        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
    )]
    pub password_helper: PasswordHelper,
    /// Await for an authenticator to be connected, timeout after n seconds
    #[structopt(
        long = "await-dev",
        name = "await-dev",
        env = "FIDO2LUKS_DEVICE_AWAIT",
        default_value = "15"
    )]
    pub await_authenticator: u64,
 }
 impl SecretGeneration {
    pub fn patch(&self, args: &Args) -> Self {
        let mut me = self.clone();
        if args.interactive {
            me.password_helper = PasswordHelper::Stdin;
        }
-        me
+        if get_devices()
-    }
+            .map(|devices| !devices.is_empty())
-
+            .unwrap_or(false)
-    pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> {
+        {
-        let salt = self.salt.obtain(&self.password_helper)?;
+            break;
        let timeout = Duration::from_secs(self.await_authenticator);
        let start = SystemTime::now();
        while let Ok(el) = start.elapsed() {
            if el > timeout {
                Err(error::Fido2LuksError::NoAuthenticatorError)?;
            }
            if get_devices()
                .map(|devices| !devices.is_empty())
                .unwrap_or(false)
            {
                break;
            }
            thread::sleep(Duration::from_millis(500));
        }
-        Ok(assemble_secret(
+        thread::sleep(Duration::from_millis(500));
            &perform_challenge(&self.credential_id.0, &salt)?,
            &salt,
        ))
    }
    let credentials = credentials
        .iter()
        .map(|hex| FidoCredential {
            id: hex.0.clone(),
            public_key: None,
        })
        .collect::<Vec<_>>();
    let credentials = credentials.iter().collect::<Vec<_>>();
    let (unsalted, cred) =
        perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
    let binary = sha256(&[salt, &unsalted[..]]);
    Ok((binary, cred.clone()))
 }
-#[derive(Debug, StructOpt)]
+pub fn extend_creds_device(
-pub enum Command {
+    creds: &[HexEncoded],
-    #[structopt(name = "print-secret")]
+    luks_dev: &mut LuksDevice,
-    PrintSecret {
+) -> Fido2LuksResult<Vec<HexEncoded>> {
-        /// Prints the secret as binary instead of hex encoded
+    let mut additional = HashSet::new();
-        #[structopt(short = "b", long = "bin")]
+    additional.extend(creds.iter().cloned());
-        binary: bool,
+    for token in luks_dev.tokens()? {
-        #[structopt(flatten)]
+        for cred in token?.1.credential {
-        secret_gen: SecretGeneration,
+            let parsed = HexEncoded::from_str(cred.as_str()).map_err(|_e| {
-    },
+                Fido2LuksError::HexEncodingError {
-    /// Adds a generated key to the specified LUKS device
+                    string: cred.clone(),
-    #[structopt(name = "add-key")]
+                }
-    AddKey {
+            })?;
-        #[structopt(env = "FIDO2LUKS_DEVICE")]
+            additional.insert(parsed);
-        device: PathBuf,
+        }
-        /// Will wipe all other keys
+    }
-        #[structopt(short = "e", long = "exclusive")]
+    Ok(Vec::from_iter(additional.into_iter()))
-        exclusive: bool,
+}
-        /// Use a keyfile instead of typing a previous password
+
-        #[structopt(short = "d", long = "keyfile")]
+pub fn get_input(
-        keyfile: Option<PathBuf>,
+    secret: &SecretParameters,
-        #[structopt(flatten)]
+    authenticator: &AuthenticatorParameters,
-        secret_gen: SecretGeneration,
+    interactive: bool,
-    },
+    q: &str,
-    /// Replace a previously added key with a password
+    verify: bool,
-    #[structopt(name = "replace-key")]
+) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
-    ReplaceKey {
+    let password_helper = secret
-        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        .password_helper
-        device: PathBuf,
+        .as_ref()
-        /// Add the password and keep the key
+        .map(|helper| move || helper.obtain());
-        #[structopt(short = "a", long = "add-password")]
+    let salt = &secret.salt;
-        add_password: bool,
+    Ok(if interactive {
-        /// Use a keyfile instead of typing a previous password
+        (
-        #[structopt(short = "d", long = "keyfile")]
+            if authenticator.pin && may_require_pin()? {
-        keyfile: Option<PathBuf>,
+                Some(read_pin()?)
-        #[structopt(flatten)]
+            } else {
-        secret_gen: SecretGeneration,
+                None
-    },
+            },
-    /// Open the LUKS device
+            salt.obtain_sha256(Some(|| util::read_password_tty(q, verify)))?,
-    #[structopt(name = "open")]
+        )
-    Open {
+    } else {
-        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        match (
-        device: PathBuf,
+            authenticator.pin && may_require_pin()?,
-        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+            authenticator.pin_prefixed,
-        name: String,
+        ) {
-        #[structopt(short = "r", long = "max-retries", default_value = "0")]
+            (true, false) => (Some(read_pin()?), salt.obtain_sha256(password_helper)?),
-        retries: i32,
+            (true, true) => read_password_pin_prefixed(|| {
-        #[structopt(flatten)]
+                salt.obtain(password_helper).and_then(|secret| {
-        secret_gen: SecretGeneration,
+                    String::from_utf8(secret).map_err(|e| Fido2LuksError::from(e))
-    },
+                })
-    /// Generate a new FIDO credential
+            })?,
-    #[structopt(name = "credential")]
+            (false, _) => (None, salt.obtain_sha256(password_helper)?),
-    Credential {
+        }
-        /// Name to be displayed on the authenticator if it has a display
+    })
-        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
+}
-        name: Option<String>,
+
-    },
+pub fn read_password_pin_prefixed(
-    /// Check if an authenticator is connected
+    prefixed: impl Fn() -> Fido2LuksResult<String>,
-    #[structopt(name = "connected")]
+) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
-    Connected,
+    let read = prefixed()?;
    let separator = ':';
    let mut parts = read.split(separator);
    let pin = parts.next().filter(|p| p.len() > 0).map(|p| p.to_string());
    let password = match pin {
        Some(ref pin) if read.len() > pin.len() => {
            read.chars().skip(pin.len() + 1).collect::<String>()
        }
        Some(_) => String::new(),
        _ => read
            .chars()
            .skip(read.chars().next().map(|c| c == separator).unwrap_or(false) as usize)
            .collect::<String>(),
    };
    Ok((pin, util::sha256(&[password.as_bytes()])))
 }
 /// generate an more readable name from common paths
 pub fn derive_credential_name(path: &Path) -> String {
    match path.file_name() {
        Some(name)
            if path
                .iter()
                .any(|p| p == "by-label" || p == "by-partlabel" || p == "by-uuid") =>
        {
            name.to_string_lossy().as_ref().to_string()
        }
        _ => path.display().to_string(),
    }
 }
 pub fn parse_cmdline() -> Args {
    Args::from_args()
 }
 pub fn prompt_interaction(interactive: bool) {
    if interactive {
        println!("Authorize using your FIDO device");
    }
 }
 pub fn run_cli() -> Fido2LuksResult<()> {
    let mut stdout = io::stdout();
    let args = parse_cmdline();
    let log = |message: &dyn Fn() -> String| {
        if args.verbose {
            eprintln!("{}", &*message());
        }
    };
    let interactive = args.interactive;
    match &args.command {
-        Command::Credential { name } => {
+        Command::Credential {
-            let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()))?;
+            authenticator,
            name,
        } => {
            let pin_string;
            let pin = if authenticator.pin && may_require_pin()? {
                pin_string = read_pin()?;
                Some(pin_string.as_ref())
            } else {
                None
            };
            let cred = make_credential_id(Some(name.as_ref()), pin)?;
            println!("{}", hex::encode(&cred.id));
            Ok(())
        }
        Command::PrintSecret {
            binary,
-            ref secret_gen,
+            authenticator,
            credentials,
            secret,
            device,
        } => {
-            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let (pin, salt) =
-            if *binary {
+                get_input(&secret, &authenticator, args.interactive, "Password", false)?;
-                stdout.write(&secret[..])?;
+            let credentials = if let Some(path) = device {
                let mut dev = LuksDevice::load(path)?;
                let luks2 = dev.is_luks2()?;
                log(&|| format!("luks2 supported: {}", luks2));
                extend_creds_device(
                    credentials
                        .ids
                        .clone()
                        .map(|cs| cs.0)
                        .unwrap_or_default()
                        .as_slice(),
                    &mut dev,
                )?
            } else {
-                stdout.write(hex::encode(&secret[..]).as_bytes())?;
+                credentials.ids.clone().map(|cs| cs.0).unwrap_or_default()
            };
            log(&|| {
                format!(
                    "credentials: {}",
                    credentials
                        .iter()
                        .map(ToString::to_string)
                        .collect::<Vec<_>>()
                        .join(", ")
                )
            });
            prompt_interaction(interactive);
            let (secret, cred) = derive_secret(
                &credentials,
                &salt,
                authenticator.await_time,
                pin.as_deref(),
            )?;
            log(&|| format!("credential used: {}", hex::encode(&cred.id)));
            if *binary {
                stdout.write_all(&secret[..])?;
            } else {
                stdout.write_all(hex::encode(&secret[..]).as_bytes())?;
            }
            Ok(stdout.flush()?)
        }
        Command::AddKey {
-            device,
+            luks,
-            exclusive,
+            authenticator,
-            keyfile,
+            credentials,
-            ref secret_gen,
+            secret,
-        } => {
+            luks_mod,
-            let secret = secret_gen.patch(&args).obtain_secret()?;
+            existing_secret: other_secret,
-            let old_secret = if let Some(keyfile) = keyfile.clone() {
+            ..
                util::read_keyfile(keyfile.clone())
            } else {
                util::read_password("Old password", false).map(|p| p.as_bytes().to_vec())
            }?;
            let added_slot = luks::add_key(device.clone(), &secret, &old_secret[..], Some(10))?;
            if *exclusive {
                let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
                println!(
                    "Added to key to device {}, slot: {}\nRemoved {} old keys",
                    device.display(),
                    added_slot,
                    destroyed
                );
            } else {
                println!(
                    "Added to key to device {}, slot: {}",
                    device.display(),
                    added_slot
                );
            }
            Ok(())
        }
-        Command::ReplaceKey {
+        | Command::ReplaceKey {
-            device,
+            luks,
-            add_password,
+            authenticator,
-            keyfile,
+            credentials,
-            ref secret_gen,
+            secret,
            luks_mod,
            replacement: other_secret,
            ..
        } => {
-            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let mut luks_dev = LuksDevice::load(&luks.device)?;
-            let new_secret = if let Some(keyfile) = keyfile.clone() {
+
-                util::read_keyfile(keyfile.clone())
+            let luks2 = luks_dev.is_luks2()?;
            log(&|| format!("luks2 supported: {}", luks2));
            let credentials = if !luks.disable_token && luks2 {
                extend_creds_device(
                    credentials
                        .ids
                        .clone()
                        .map(|cs| cs.0)
                        .unwrap_or_default()
                        .as_slice(),
                    &mut luks_dev,
                )?
            } else {
-                util::read_password("Password to add", *add_password).map(|p| p.as_bytes().to_vec())
+                credentials.ids.clone().map(|cs| cs.0).unwrap_or_default()
-            }?;
+            };
-            let slot = if *add_password {
+            log(&|| {
-                luks::add_key(device, &new_secret[..], &secret, None)
+                format!(
-            } else {
+                    "credentials: {}",
-                luks::replace_key(device, &new_secret[..], &secret, Some(5))
+                    credentials
-            }?;
+                        .iter()
-            println!(
+                        .map(ToString::to_string)
-                "Added to password to device {}, slot: {}",
+                        .collect::<Vec<_>>()
-                device.display(),
+                        .join(", ")
-                slot
+                )
-            );
+            });
-            Ok(())
+            let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
                get_input(&secret, &authenticator, args.interactive, q, verify)
            };
            let other_secret = |salt_q: &str,
                                verify: bool|
             -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
                match other_secret {
                    OtherSecret {
                        keyfile: Some(file),
                        ..
                    } => Ok((util::read_keyfile(file)?, None)),
                    OtherSecret {
                        fido_device: true, ..
                    } => {
                        let (pin, salt) = inputs(salt_q, verify)?;
                        prompt_interaction(interactive);
                        Ok(derive_secret(
                            &credentials,
                            &salt,
                            authenticator.await_time,
                            pin.as_deref(),
                        )
                        .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
                    }
                    _ => Ok((
                        util::read_password_tty(salt_q, verify)?.as_bytes().to_vec(),
                        None,
                    )),
                }
            };
            let secret = |q: &str,
                          verify: bool,
                          credentials: &[HexEncoded]|
             -> Fido2LuksResult<([u8; 32], FidoCredential)> {
                let (pin, salt) = inputs(q, verify)?;
                prompt_interaction(interactive);
                derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
            };
            // Non overlap
            match &args.command {
                Command::AddKey {
                    exclusive,
                    generate_credential,
                    ..
                } => {
                    let (existing_secret, _) = other_secret("Current password", false)?;
                    let (new_secret, cred) = if *generate_credential && luks2 {
                        let cred = make_credential_id(
                            Some(derive_credential_name(luks.device.as_path()).as_str()),
                            (if authenticator.pin && may_require_pin()? {
                                //TODO: not ideal since it ignores pin-prefixed
                                Some(read_pin()?)
                            } else {
                                None
                            })
                            .as_deref(),
                        )?;
                        log(&|| {
                            format!(
                                "generated credential: {}\ncredential username: {:?}",
                                hex::encode(&cred.id),
                                derive_credential_name(luks.device.as_path())
                            )
                        });
                        let creds = vec![HexEncoded(cred.id)];
                        secret("Password to be added", true, &creds)
                    } else {
                        secret("Password to be added", true, &credentials)
                    }?;
                    log(&|| format!("credential used: {}", hex::encode(&cred.id)));
                    let added_slot = luks_dev.add_key(
                        &new_secret,
                        &existing_secret[..],
                        luks_mod.kdf_time.or(Some(10)),
                        Some(&cred.id[..])
                            .filter(|_| !luks.disable_token || *generate_credential)
                            .filter(|_| luks2),
                    )?;
                    if *exclusive {
                        let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
                        println!(
                            "Added to key to device {}, slot: {}\nRemoved {} old keys",
                            luks.device.display(),
                            added_slot,
                            destroyed
                        );
                    } else {
                        println!(
                            "Added to key to device {}, slot: {}",
                            luks.device.display(),
                            added_slot
                        );
                    }
                    Ok(())
                }
                Command::ReplaceKey {
                    add_password,
                    remove_cred,
                    ..
                } => {
                    let (existing_secret, _prev_cred) =
                        secret("Current password", false, &credentials)?;
                    let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                    let slot = if *add_password {
                        luks_dev.add_key(
                            &replacement_secret[..],
                            &existing_secret,
                            luks_mod.kdf_time,
                            cred.as_ref()
                                .filter(|_| !luks.disable_token)
                                .filter(|_| luks2)
                                .map(|cred| &cred.id[..]),
                        )
                    } else {
                        let slot = luks_dev.replace_key(
                            &replacement_secret[..],
                            &existing_secret,
                            luks_mod.kdf_time,
                            cred.as_ref()
                                .filter(|_| !luks.disable_token)
                                .filter(|_| luks2)
                                .map(|cred| &cred.id[..]),
                        )?;
                        if *remove_cred && cred.is_none() {
                            luks_dev.remove_token_slot(slot)?;
                        }
                        Ok(slot)
                    }?;
                    if let Some(cred) = cred {
                        log(&|| format!("credential used: {}", hex::encode(&cred.id)));
                    }
                    println!(
                        "Added to password to device {}, slot: {}",
                        luks.device.display(),
                        slot
                    );
                    Ok(())
                }
                _ => unreachable!(),
            }
        }
        Command::Open {
-            device,
+            luks,
            authenticator,
            secret,
            name,
            credentials,
            retries,
-            ref secret_gen,
+            dry_run,
        } => {
            let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
                get_input(&secret, &authenticator, args.interactive, q, verify)
            };
            // Cow shouldn't be necessary
            let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
                let (pin, salt) = inputs("Password", false)?;
                prompt_interaction(interactive);
                derive_secret(
                    credentials.as_ref(),
                    &salt,
                    authenticator.await_time,
                    pin.as_deref(),
                )
            };
            let mut retries = *retries;
            let mut luks_dev = LuksDevice::load(&luks.device)?;
            let luks2 = luks_dev.is_luks2()?;
            log(&|| format!("luks2 supported: {}", luks2));
            loop {
-                let secret = secret_gen.patch(&args).obtain_secret()?;
+                let slot = if let Some(ref credentials) = credentials.ids {
-                match luks::open_container(&device, &name, &secret) {
+                    log(&|| {
-                    Err(e) => match e {
+                        format!(
-                        Fido2LuksError::WrongSecret if retries > 0 => {
+                            "credentials: {}",
-                            retries -= 1;
+                            credentials
-                            eprintln!("{}", e);
+                                .0
-                            continue;
+                                .iter()
-                        }
+                                .map(ToString::to_string)
-                        e => Err(e)?,
+                                .collect::<Vec<_>>()
-                    },
+                                .join(", ")
-                    res => break res,
+                        )
                    });
                    secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| {
                        log(&|| format!("credential used: {}", hex::encode(&cred.id)));
                        luks_dev.activate(&name, &secret, luks.slot, *dry_run)
                    })
                } else if luks2 && !luks.disable_token {
                    luks_dev.activate_token(
                        &name,
                        Box::new(|credentials: Vec<String>| {
                            log(&|| format!("credentials: {}", credentials.join(", ")));
                            let creds = credentials
                                .into_iter()
                                .flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
                                .collect::<Vec<_>>();
                            secret(Cow::Owned(creds)).map(|(secret, cred)| {
                                log(&|| format!("credential used: {}", hex::encode(&cred.id)));
                                (secret, hex::encode(&cred.id))
                            })
                        }),
                        luks.slot,
                        *dry_run,
                    )
                } else if luks_dev.is_luks2()? && luks.disable_token {
                    // disable-token is mostly cosmetic in this instance
                    return Err(Fido2LuksError::InsufficientCredentials);
                } else {
                    return Err(Fido2LuksError::WrongSecret);
                };
                match slot {
                    Err(e) => {
                        match e {
                            Fido2LuksError::WrongSecret if retries > 0 => {}
                            Fido2LuksError::AuthenticatorError { ref cause }
                                if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
                            e => return Err(e),
                        };
                        retries -= 1;
                        eprintln!("{}", e);
                    }
                    Ok(slot) => {
                        log(&|| format!("keyslot: {}", slot));
                        break Ok(());
                    }
                }
            }
        }
@@ -278,5 +520,189 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            }
            _ => exit(1),
        },
        Command::Token(cmd) => match cmd {
            TokenCommand::List {
                device,
                csv: dump_credentials,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut creds = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    for cred in token.credential.iter() {
                        if !creds.contains(cred) {
                            creds.push(cred.clone());
                            if *dump_credentials {
                                print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
                            }
                        }
                    }
                    if *dump_credentials {
                        continue;
                    }
                    println!(
                        "{}:\n\tSlots: {}\n\tCredentials: {}",
                        id,
                        if token.keyslots.is_empty() {
                            "None".into()
                        } else {
                            token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
                        },
                        token
                            .credential
                            .iter()
                            .map(|cred| format!(
                                "{} ({})",
                                cred,
                                creds.iter().position(|c| c == cred).unwrap().to_string()
                            ))
                            .collect::<Vec<_>>()
                            .join(",")
                    );
                }
                if *dump_credentials {
                    println!();
                }
                Ok(())
            }
            TokenCommand::Add {
                device,
                credentials,
                slot,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut tokens = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if token.keyslots.contains(&slot.to_string()) {
                        tokens.push((id, token));
                    }
                }
                let count = if tokens.is_empty() {
                    dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?;
                    1
                } else {
                    tokens.len()
                };
                for (id, mut token) in tokens {
                    token
                        .credential
                        .extend(credentials.0.iter().map(|h| h.to_string()));
                    dev.update_token(id, &token)?;
                }
                println!("Updated {} tokens", count);
                Ok(())
            }
            TokenCommand::Remove {
                device,
                credentials,
                token_id,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut tokens = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if let Some(token_id) = token_id {
                        if id == *token_id {
                            tokens.push((id, token));
                        }
                    } else {
                        tokens.push((id, token));
                    }
                }
                let count = tokens.len();
                for (id, mut token) in tokens {
                    token.credential = token
                        .credential
                        .into_iter()
                        .filter(|cred| !credentials.0.iter().any(|h| &h.to_string() == cred))
                        .collect();
                    dev.update_token(id, &token)?;
                }
                println!("Updated {} tokens", count);
                Ok(())
            }
            TokenCommand::GC { device } => {
                let mut dev = LuksDevice::load(device)?;
                let mut creds: HashSet<String> = HashSet::new();
                let mut remove = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if token.keyslots.is_empty() || token.credential.is_empty() {
                        creds.extend(token.credential);
                        remove.push(id);
                    }
                }
                for id in remove.iter().rev() {
                    dev.remove_token(*id)?;
                }
                println!(
                    "Removed {} tokens, affected credentials: {}",
                    remove.len(),
                    creds.into_iter().collect::<Vec<_>>().join(",")
                );
                Ok(())
            }
        },
        Command::GenerateCompletions { shell, out_dir } => {
            // zsh won't work atm https://github.com/clap-rs/clap/issues/1822
            if let Some(s) = shell {
                if s.as_str() == "zsh" {
                    unimplemented!("zsh completions are broken atm: see https://github.com/clap-rs/clap/issues/1822")
                }
            }
            for variant in Shell::variants().iter().filter(|v| *v != &"zsh") {
                if let Some(s) = shell {
                    if *variant != s.as_str() {
                        break;
                    }
                }
                Args::clap().gen_completions(
                    env!("CARGO_PKG_NAME"),
                    Shell::from_str(variant)
                        .expect("structopt shouldn't allow us to reach this point"),
                    &out_dir,
                );
            }
            Ok(())
        }
    }
 }
 #[cfg(test)]
 mod test {
    use super::*;
    #[test]
    fn test_read_password_pin_prefixed() {
        // 1234:test -> PIN: 1234, password: test
        assert_eq!(
            read_password_pin_prefixed(|| Ok("1234:test".into())).unwrap(),
            (Some("1234".to_string()), util::sha256(&["test".as_bytes()]))
        );
        // :test -> PIN: None, password: test
        assert_eq!(
            read_password_pin_prefixed(|| Ok(":test".into())).unwrap(),
            (None, util::sha256(&["test".as_bytes()]))
        );
        // 1234::test -> PIN: 1234, password: :test
        assert_eq!(
            read_password_pin_prefixed(|| Ok("1234::test".into())).unwrap(),
            (
                Some("1234".to_string()),
                util::sha256(&[":test".as_bytes()])
            )
        );
        // 1234 -> PIN: 1234, password: empty
        assert_eq!(
            read_password_pin_prefixed(|| Ok("1234".into())).unwrap(),
            (Some("1234".to_string()), util::sha256(&["".as_bytes()]))
        );
        // 1234:test -> PIN: None, password: test
        assert_eq!(
            read_password_pin_prefixed(|| Ok(":test".into())).unwrap(),
            (None, util::sha256(&["test".as_bytes()]))
        );
    }
 }
--- a/src/cli_args/config.rs
+++ b/src/cli_args/config.rs
@@ -7,36 +7,37 @@ use std::fs::File;
 use std::io::Read;
 use std::path::PathBuf;
 use std::process::Command;
 use std::process::Stdio;
 use std::str::FromStr;
 #[derive(Debug, Clone, PartialEq)]
-pub enum InputSalt {
+pub enum SecretInput {
    AskPassword,
    String(String),
    File { path: PathBuf },
 }
-impl Default for InputSalt {
+impl Default for SecretInput {
    fn default() -> Self {
-        InputSalt::AskPassword
+        SecretInput::AskPassword
    }
 }
-impl From<&str> for InputSalt {
+impl From<&str> for SecretInput {
    fn from(s: &str) -> Self {
-        let mut parts = s.split(":").into_iter();
+        let mut parts = s.split(':');
        match parts.next() {
-            Some("ask") | Some("Ask") => InputSalt::AskPassword,
+            Some("ask") | Some("Ask") => SecretInput::AskPassword,
-            Some("file") => InputSalt::File {
+            Some("file") => SecretInput::File {
                path: parts.collect::<Vec<_>>().join(":").into(),
            },
-            Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")),
+            Some("string") => SecretInput::String(parts.collect::<Vec<_>>().join(":")),
            _ => Self::default(),
        }
    }
 }
-impl FromStr for InputSalt {
+impl FromStr for SecretInput {
    type Err = Fido2LuksError;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
@@ -44,21 +45,54 @@ impl FromStr for InputSalt {
    }
 }
-impl fmt::Display for InputSalt {
+impl fmt::Display for SecretInput {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
        f.write_str(&match self {
-            InputSalt::AskPassword => "ask".to_string(),
+            SecretInput::AskPassword => "ask".to_string(),
-            InputSalt::String(s) => ["string", s].join(":"),
+            SecretInput::String(s) => ["string", s].join(":"),
-            InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"),
+            SecretInput::File { path } => ["file", path.display().to_string().as_str()].join(":"),
        })
    }
 }
-impl InputSalt {
+impl SecretInput {
-    pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
+    pub fn obtain_string(
        &self,
        password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
    ) -> Fido2LuksResult<String> {
        Ok(String::from_utf8(self.obtain(password_helper)?)?)
    }
    pub fn obtain(
        &self,
        password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
    ) -> Fido2LuksResult<Vec<u8>> {
        let mut secret = Vec::new();
        match self {
            SecretInput::File { path } => {
                //TODO: replace with try_blocks
                let mut do_io = || File::open(path)?.read_to_end(&mut secret);
                do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
            }
            SecretInput::AskPassword => secret.extend_from_slice(
                password_helper.ok_or_else(|| Fido2LuksError::AskPassError {
                    cause: AskPassError::FailedHelper,
                })?()?
                .as_bytes(),
            ),
            SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
        }
        Ok(secret)
    }
    pub fn obtain_sha256(
        &self,
        password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
    ) -> Fido2LuksResult<[u8; 32]> {
        let mut digest = digest::Context::new(&digest::SHA256);
        match self {
-            InputSalt::File { path } => {
+            SecretInput::File { path } => {
                let mut do_io = || {
                    let mut reader = File::open(path)?;
                    let mut buf = [0u8; 512];
@@ -73,10 +107,7 @@ impl InputSalt {
                };
                do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
            }
-            InputSalt::AskPassword => {
+            _ => digest.update(self.obtain(password_helper)?.as_slice()),
                digest.update(password_helper.obtain()?.as_bytes());
            }
            InputSalt::String(s) => digest.update(s.as_bytes()),
        }
        let mut salt = [0u8; 32];
        salt.as_mut().copy_from_slice(digest.finish().as_ref());
@@ -84,9 +115,10 @@ impl InputSalt {
    }
 }
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, PartialEq, Eq)]
 pub enum PasswordHelper {
    Script(String),
    #[allow(dead_code)]
    Systemd,
    Stdin,
 }
@@ -132,12 +164,13 @@ impl PasswordHelper {
        use PasswordHelper::*;
        match self {
            Systemd => unimplemented!(),
-            Stdin => Ok(util::read_password("Password", true)?),
+            Stdin => Ok(util::read_password("Password", true, false)?),
            Script(password_helper) => {
-                let mut helper_parts = password_helper.split(" ");
+                let password = Command::new("sh")
-
+                    .arg("-c")
-                let password = Command::new((&mut helper_parts).next().unwrap())
+                    .arg(&password_helper)
-                    .args(helper_parts)
+                    .stdin(Stdio::inherit())
                    .stderr(Stdio::inherit())
                    .output()
                    .map_err(|e| Fido2LuksError::AskPassError {
                        cause: error::AskPassError::IO(e),
@@ -157,24 +190,30 @@ mod test {
    #[test]
    fn input_salt_from_str() {
        assert_eq!(
-            "file:/tmp/abc".parse::<InputSalt>().unwrap(),
+            "file:/tmp/abc".parse::<SecretInput>().unwrap(),
-            InputSalt::File {
+            SecretInput::File {
                path: "/tmp/abc".into()
            }
        );
        assert_eq!(
-            "string:abc".parse::<InputSalt>().unwrap(),
+            "string:abc".parse::<SecretInput>().unwrap(),
-            InputSalt::String("abc".into())
+            SecretInput::String("abc".into())
        );
        assert_eq!(
            "ask".parse::<SecretInput>().unwrap(),
            SecretInput::AskPassword
        );
        assert_eq!(
            "lol".parse::<SecretInput>().unwrap(),
            SecretInput::default()
        );
        assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
        assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
    }
    #[test]
    fn input_salt_obtain() {
        assert_eq!(
-            InputSalt::String("abc".into())
+            SecretInput::String("abc".into())
-                .obtain(&PasswordHelper::Stdin)
+                .obtain_sha256(Some(|| Ok("123456".to_string())))
                .unwrap(),
            [
                186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,
--- a/src/cli_args/mod.rs
+++ b/src/cli_args/mod.rs
@@ -0,0 +1,320 @@
 use std::fmt::{Display, Error, Formatter};
 use std::hash::{Hash, Hasher};
 use std::path::PathBuf;
 use std::str::FromStr;
 use structopt::clap::{AppSettings, Shell};
 use structopt::StructOpt;
 mod config;
 pub use config::*;
 #[derive(Debug, Eq, PartialEq, Clone)]
 pub struct HexEncoded(pub Vec<u8>);
 impl Display for HexEncoded {
    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
        f.write_str(&hex::encode(&self.0))
    }
 }
 impl AsRef<[u8]> for HexEncoded {
    fn as_ref(&self) -> &[u8] {
        &self.0[..]
    }
 }
 impl FromStr for HexEncoded {
    type Err = hex::FromHexError;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Ok(HexEncoded(hex::decode(s)?))
    }
 }
 impl Hash for HexEncoded {
    fn hash<H: Hasher>(&self, state: &mut H) {
        self.0.hash(state)
    }
 }
 #[derive(Debug, Eq, PartialEq, Clone)]
 pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
 impl<T: Display + FromStr> Display for CommaSeparated<T> {
    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
        for i in &self.0 {
            f.write_str(&i.to_string())?;
            f.write_str(",")?;
        }
        Ok(())
    }
 }
 impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
    type Err = <T as FromStr>::Err;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Ok(CommaSeparated(
            s.split(',')
                .map(|part| <T as FromStr>::from_str(part))
                .collect::<Result<Vec<_>, _>>()?,
        ))
    }
 }
 #[derive(Debug, StructOpt)]
 pub struct Credentials {
    /// FIDO credential ids, separated by ',' generate using fido2luks credential
    #[structopt(
        name = "credential-ids",
        env = "FIDO2LUKS_CREDENTIAL_ID",
        short = "c",
        long = "creds"
    )]
    pub ids: Option<CommaSeparated<HexEncoded>>,
 }
 #[derive(Debug, StructOpt)]
 pub struct AuthenticatorParameters {
    /// Request a PIN to unlock the authenticator if required
    #[structopt(short = "P", long = "pin")]
    pub pin: bool,
    /// Request PIN and password combined `pin:password` when using an password helper
    #[structopt(long = "pin-prefixed")]
    pub pin_prefixed: bool,
    /// Await for an authenticator to be connected, timeout after n seconds
    #[structopt(
        long = "await-dev",
        name = "await-dev",
        env = "FIDO2LUKS_DEVICE_AWAIT",
        default_value = "15"
    )]
    pub await_time: u64,
 }
 #[derive(Debug, StructOpt)]
 pub struct LuksParameters {
    #[structopt(env = "FIDO2LUKS_DEVICE")]
    pub device: PathBuf,
    /// Try to unlock the device using a specifc keyslot, ignore all other slots
    #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
    pub slot: Option<u32>,
    /// Disable implicit use of LUKS2 tokens
    #[structopt(
        long = "disable-token",
    //  env = "FIDO2LUKS_DISABLE_TOKEN" // unfortunately clap will convert flags into args if they have an env attribute
    )]
    pub disable_token: bool,
 }
 #[derive(Debug, StructOpt, Clone)]
 pub struct LuksModParameters {
    /// Number of milliseconds required to derive the volume decryption key
    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
    #[structopt(long = "kdf-time", name = "kdf-time", env = "FIDO2LUKS_KDF_TIME")]
    pub kdf_time: Option<u64>,
 }
 #[derive(Debug, StructOpt)]
 pub struct SecretParameters {
    /// Salt for secret generation, defaults to 'ask'
    ///
    /// Options:{n}
    ///  - ask              : Prompt user using password helper{n}
    ///  - file:<PATH>      : Will read <FILE>{n}
    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
    #[structopt(
        name = "salt",
        long = "salt",
        env = "FIDO2LUKS_SALT",
        default_value = "ask"
    )]
    pub salt: SecretInput,
    /// Script used to obtain passwords, overridden by --interactive flag
    #[structopt(
        name = "password-helper",
        env = "FIDO2LUKS_PASSWORD_HELPER",
        long = "password-helper"
    )]
    pub password_helper: Option<PasswordHelper>,
 }
 #[derive(Debug, StructOpt)]
 pub struct Args {
    /// Request passwords via Stdin instead of using the password helper
    #[structopt(short = "i", long = "interactive")]
    pub interactive: bool,
    #[structopt(short = "v", long = "verbose")]
    pub verbose: bool,
    #[structopt(subcommand)]
    pub command: Command,
 }
 #[derive(Debug, StructOpt, Clone)]
 pub struct OtherSecret {
    /// Use a keyfile instead of a password
    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
    pub keyfile: Option<PathBuf>,
    /// Use another fido device instead of a password
    /// Note: this requires for the credential for the other device to be passed as argument as well
    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
    pub fido_device: bool,
 }
 #[derive(Debug, StructOpt)]
 pub enum Command {
    #[structopt(name = "print-secret")]
    PrintSecret {
        // version 0.3.0 will store use the lower case ascii encoded hex string making binary output unnecessary
        /// Prints the secret as binary instead of hex encoded
        #[structopt(hidden = true, short = "b", long = "bin")]
        binary: bool,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        /// Load credentials from LUKS header
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: Option<PathBuf>,
    },
    /// Adds a generated key to the specified LUKS device
    #[structopt(name = "add-key")]
    AddKey {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        /// Will wipe all other keys
        #[structopt(short = "e", long = "exclusive")]
        exclusive: bool,
        /// Will generate an credential while adding a new key to this LUKS device if supported
        #[structopt(short = "g", long = "gen-cred")]
        generate_credential: bool,
        #[structopt(flatten)]
        existing_secret: OtherSecret,
        #[structopt(flatten)]
        luks_mod: LuksModParameters,
    },
    /// Replace a previously added key with a password
    #[structopt(name = "replace-key")]
    ReplaceKey {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        /// Add the password and keep the key
        #[structopt(short = "a", long = "add-password")]
        add_password: bool,
        /// Remove the affected credential from LUKS header
        #[structopt(short = "r", long = "remove-cred")]
        remove_cred: bool,
        #[structopt(flatten)]
        replacement: OtherSecret,
        #[structopt(flatten)]
        luks_mod: LuksModParameters,
    },
    /// Open the LUKS device
    #[structopt(name = "open", alias = "open-token")]
    Open {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
        name: String,
        #[structopt(flatten)]
        credentials: Credentials,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        #[structopt(short = "r", long = "max-retries", default_value = "0")]
        retries: i32,
        /// Perform the whole procedure without mounting the LUKS volume on success
        #[structopt(long = "dry-run")]
        dry_run: bool,
    },
    /// Generate a new FIDO credential
    #[structopt(name = "credential")]
    Credential {
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        /// Name to be displayed on the authenticator display
        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
        name: String,
    },
    /// Check if an authenticator is connected
    #[structopt(name = "connected")]
    Connected,
    Token(TokenCommand),
    /// Generate bash completion scripts
    /// Example: fido2luks completions --shell bash /usr/share/bash-completion/completions
    #[structopt(name = "completions", setting = AppSettings::Hidden)]
    GenerateCompletions {
        /// Shell to generate completions for
        #[structopt(short = "s", long = "shell",possible_values = &Shell::variants()[..])]
        shell: Option<String>,
        out_dir: PathBuf,
    },
 }
 ///LUKS2 token related operations
 #[derive(Debug, StructOpt)]
 pub enum TokenCommand {
    /// List all tokens associated with the specified device
    List {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        /// Dump all credentials as CSV
        #[structopt(long = "csv")]
        csv: bool,
    },
    /// Add credential to a keyslot
    Add {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        /// FIDO credential ids, separated by ',' generate using fido2luks credential
        #[structopt(
            name = "credential-ids",
            env = "FIDO2LUKS_CREDENTIAL_ID",
            short = "c",
            long = "creds"
        )]
        credentials: CommaSeparated<HexEncoded>,
        /// Slot to which the credentials will be added
        #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
        slot: u32,
    },
    /// Remove credentials from token(s)
    Remove {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        /// FIDO credential ids, separated by ',' generate using fido2luks credential
        #[structopt(
            name = "credential-ids",
            env = "FIDO2LUKS_CREDENTIAL_ID",
            short = "c",
            long = "creds"
        )]
        credentials: CommaSeparated<HexEncoded>,
        /// Token from which the credentials will be removed
        #[structopt(long = "token")]
        token_id: Option<u32>,
    },
    /// Remove all unassigned tokens
    GC {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
    },
 }
--- a/src/device.rs
+++ b/src/device.rs
@@ -1,91 +1,72 @@
 use crate::error::*;
 use crate::util::sha256;
 use crate::util;
 use ctap::{
-    self,
+    self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
-    extensions::hmac::{FidoHmacCredential, HmacExtension},
+    FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
    AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity,
    PublicKeyCredentialUserEntity,
 };
 use std::time::Duration;
-const RP_ID: &'static str = "fido2luks";
+const RP_ID: &str = "fido2luks";
-fn authenticator_options() -> Option<AuthenticatorOptions> {
+pub fn make_credential_id(
-    Some(AuthenticatorOptions {
+    name: Option<&str>,
-        uv: false, //TODO: should get this from config
+    pin: Option<&str>,
-        rk: true,
+) -> Fido2LuksResult<FidoCredential> {
-    })
+    let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
-}
+    if let Some(user_name) = name {
-
+        request = request.user_name(user_name);
 fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
    PublicKeyCredentialRpEntity {
        id: RP_ID,
        name: None,
        icon: None,
    }
-}
+    let request = request.build().unwrap();
-
+    let make_credential = |device: &mut FidoDevice| {
-fn authenticator_user(name: Option<&str>) -> PublicKeyCredentialUserEntity {
+        if let Some(pin) = pin.filter(|_| device.needs_pin()) {
-    PublicKeyCredentialUserEntity {
+            device.unlock(pin)?;
        id: &[0u8],
        name: name.unwrap_or(""),
        icon: None,
        display_name: name,
    }
 }
 pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredential> {
    let mut errs = Vec::new();
    match get_devices()? {
        ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
        devs => {
            for mut dev in devs.into_iter() {
                match dev
                    .make_hmac_credential_full(
                        authenticator_rp(),
                        authenticator_user(name),
                        &[0u8; 32],
                        &[],
                        authenticator_options(),
                    )
                    .map(|cred| cred.into())
                {
                    //TODO: make credentials device specific
                    Ok(cred) => {
                        return Ok(cred);
                    }
                    Err(e) => {
                        errs.push(e);
                    }
                }
            }
        }
-    }
+        device.make_hmac_credential(&request)
    Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
 }
 pub fn perform_challenge(credential_id: &[u8], salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
    let cred = FidoHmacCredential {
        id: credential_id.to_vec(),
        rp_id: RP_ID.to_string(),
    };
-    let mut errs = Vec::new();
+    Ok(request_multiple_devices(
-    match get_devices()? {
+        get_devices()?
-        ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
+            .iter_mut()
-        devs => {
+            .map(|device| (device, &make_credential)),
-            for mut dev in devs.into_iter() {
+        None,
-                match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) {
+    )?)
-                    Ok(secret) => {
+}
-                        return Ok(secret.0);
+
-                    }
+pub fn perform_challenge<'a>(
-                    Err(e) => {
+    credentials: &'a [&'a FidoCredential],
-                        errs.push(e);
+    salt: &[u8; 32],
-                    }
+    timeout: Duration,
-                }
+    pin: Option<&str>,
 ) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
    let request = FidoAssertionRequestBuilder::default()
        .rp_id(RP_ID)
        .credentials(credentials)
        .build()
        .unwrap();
    let get_assertion = |device: &mut FidoDevice| {
        if let Some(pin) = pin.filter(|_| device.needs_pin()) {
            device.unlock(pin)?;
        }
        device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
    };
    let (credential, (secret, _)) = request_multiple_devices(
        get_devices()?
            .iter_mut()
            .map(|device| (device, &get_assertion)),
        Some(timeout),
    )?;
    Ok((secret, credential))
 }
 pub fn may_require_pin() -> Fido2LuksResult<bool> {
    for di in ctap::get_devices()? {
        if let Ok(dev) = FidoDevice::new(&di) {
            if dev.needs_pin() {
                return Ok(true);
            }
        }
    }
-    Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
+    Ok(false)
 }
 pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
@@ -94,7 +75,7 @@ pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
        match FidoDevice::new(&di) {
            Err(e) => match e.kind() {
                FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
-                err => Err(FidoError::from(err))?,
+                err => return Err(FidoError::from(err).into()),
            },
            Ok(dev) => devices.push(dev),
        }
--- a/src/error.rs
+++ b/src/error.rs
@@ -1,5 +1,9 @@
 use ctap::FidoError;
 use libcryptsetup_rs::LibcryptErr;
 use std::io;
 use std::io::ErrorKind;
 use std::string::FromUtf8Error;
 use Fido2LuksError::*;
 pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
@@ -13,16 +17,22 @@ pub enum Fido2LuksError {
    AuthenticatorError { cause: ctap::FidoError },
    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
    NoAuthenticatorError,
-    #[fail(display = "luks err")]
+    #[fail(display = " {}", cause)]
-    LuksError {
+    CryptsetupError {
        cause: libcryptsetup_rs::LibcryptErr,
    },
-    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
+    #[fail(display = "{}", cause)]
    LuksError { cause: LuksError },
    #[fail(display = "{}", cause)]
    IoError { cause: io::Error },
    #[fail(display = "supplied secret isn't valid for this device")]
    WrongSecret,
    #[fail(display = "not an utf8 string")]
    StringEncodingError { cause: FromUtf8Error },
    #[fail(display = "not an hex string: {}", string)]
    HexEncodingError { string: String },
    #[fail(display = "couldn't obtain at least one credential")]
    InsufficientCredentials,
 }
 impl Fido2LuksError {
@@ -44,11 +54,42 @@ pub enum AskPassError {
    IO(io::Error),
    #[fail(display = "provided passwords don't match")]
    Mismatch,
    #[fail(display = "failed to call password helper")]
    FailedHelper,
 }
-use libcryptsetup_rs::LibcryptErr;
+#[derive(Debug, Fail)]
-use std::string::FromUtf8Error;
+pub enum LuksError {
-use Fido2LuksError::*;
+    #[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
    Luks2Required,
    #[fail(display = "Invalid token: {}", _0)]
    InvalidToken(String),
    #[fail(display = "No token found")]
    NoToken,
    #[fail(display = "The device already exists")]
    DeviceExists,
 }
 impl LuksError {
    pub fn activate(e: LibcryptErr) -> Fido2LuksError {
        match e {
            LibcryptErr::IOError(ref io) => match io.raw_os_error() {
                Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
                Some(17) => Fido2LuksError::LuksError {
                    cause: LuksError::DeviceExists,
                },
                _ => return Fido2LuksError::CryptsetupError { cause: e },
            },
            _ => Fido2LuksError::CryptsetupError { cause: e },
        }
    }
 }
 impl From<LuksError> for Fido2LuksError {
    fn from(e: LuksError) -> Self {
        Fido2LuksError::LuksError { cause: e }
    }
 }
 impl From<FidoError> for Fido2LuksError {
    fn from(e: FidoError) -> Self {
@@ -62,7 +103,7 @@ impl From<LibcryptErr> for Fido2LuksError {
            LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
                WrongSecret
            }
-            _ => LuksError { cause: e },
+            _ => CryptsetupError { cause: e },
        }
    }
 }
--- a/src/luks.rs
+++ b/src/luks.rs
@@ -1,85 +1,350 @@
 use crate::error::*;
-use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
+use libcryptsetup_rs::{
    CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
    TokenInput,
 };
 use std::collections::{HashMap, HashSet};
 use std::path::Path;
-fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
+pub struct LuksDevice {
-    let mut device = CryptInit::init(path.as_ref())?;
+    device: CryptDevice,
-    //TODO: determine luks version some way other way than just trying
+    luks2: Option<bool>,
-    let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
+}
-    vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
+
-        .into_iter()
+impl LuksDevice {
-        .fold(None, |res, format| match res {
+    pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
-            Some(Ok(())) => res,
+        let mut device = CryptInit::init(path.as_ref())?;
-            Some(e) => Some(e.or(load(format))),
+        device.context_handle().load::<()>(None, None)?;
-            None => Some(load(format)),
+        Ok(Self {
            device,
            luks2: None,
        })
        .unwrap()?;
    Ok(device)
 }
 pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
    let mut device = load_device_handle(path)?;
    device
        .activate_handle()
        .activate_by_passphrase(Some(name), None, secret, CryptActivateFlags::empty())
        .map(|_slot| ())
        .map_err(|_e| Fido2LuksError::WrongSecret)
 }
 pub fn add_key<P: AsRef<Path>>(
    path: P,
    secret: &[u8],
    old_secret: &[u8],
    iteration_time: Option<u64>,
 ) -> Fido2LuksResult<u32> {
    let mut device = load_device_handle(path)?;
    // Set iteration time not sure wether this applies to luks2 as well
    if let Some(millis) = iteration_time {
        device.settings_handle().set_iteration_time(millis)
    }
    let slot = device
        .keyslot_handle(None)
        .add_by_passphrase(old_secret, secret)?;
    Ok(slot)
 }
-pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
+    pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
-    let mut device = load_device_handle(path)?;
+        if let Some(luks2) = self.luks2 {
-    let mut slot = 0;
+            Ok(luks2)
-    let mut handle;
+        } else {
-    let mut destroyed = 0;
+            self.luks2 = Some(match self.device.format_handle().get_type()? {
-    loop {
+                EncryptionFormat::Luks2 => true,
-        handle = device.keyslot_handle(Some(slot));
+                _ => false,
-        match handle.status()? {
+            });
-            KeyslotInfo::Inactive => continue,
+            self.is_luks2()
-            KeyslotInfo::Active if !exclude.contains(&slot) => {
+        }
-                handle.destroy()?;
+    }
-                destroyed += 1;
+
    fn require_luks2(&mut self) -> Fido2LuksResult<()> {
        if !self.is_luks2()? {
            return Err(LuksError::Luks2Required.into());
        }
        Ok(())
    }
    pub fn tokens<'a>(
        &'a mut self,
    ) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
    {
        self.require_luks2()?;
        Ok(Box::new(
            (0..32)
                .map(move |i| {
                    let status = match self.device.token_handle().status(i) {
                        Ok(status) => status,
                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
                    };
                    match status {
                        CryptTokenInfo::Inactive => return None,
                        CryptTokenInfo::Internal(s)
                        | CryptTokenInfo::InternalUnknown(s)
                        | CryptTokenInfo::ExternalUnknown(s)
                        | CryptTokenInfo::External(s)
                            if &s != Fido2LuksToken::default_type() =>
                        {
                            return None
                        }
                        _ => (),
                    };
                    let json = match self.device.token_handle().json_get(i) {
                        Ok(json) => json,
                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
                    };
                    let info: Fido2LuksToken =
                        match serde_json::from_value(json.clone()).map_err(|_| {
                            Fido2LuksError::LuksError {
                                cause: LuksError::InvalidToken(json.to_string()),
                            }
                        }) {
                            Ok(info) => info,
                            Err(err) => return Some(Err(Fido2LuksError::from(err))),
                        };
                    Some(Ok((i, info)))
                })
                .filter_map(|o| o),
        ))
    }
    pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
        let slot_str = slot.to_string();
        for token in self.tokens()? {
            let (id, token) = token?;
            if token.keyslots.contains(&slot_str) {
                return Ok(Some((id, token)));
            }
            _ => (),
        }
-        match handle.status()? {
+        Ok(None)
-            KeyslotInfo::ActiveLast => break,
+    }
-            _ => (),
+
-        }
+    pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
-        slot += 1;
+        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
        Ok(())
    }
    pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::RemoveToken(token))?;
        Ok(())
    }
    pub fn remove_token_slot(&mut self, slot: u32) -> Fido2LuksResult<()> {
        let mut remove = HashSet::new();
        for token in self.tokens()? {
            let (id, token) = token?;
            if token.keyslots.contains(&slot.to_string()) {
                remove.insert(id);
            }
        }
        for rm in remove {
            self.remove_token(rm)?;
        }
        Ok(())
    }
    pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::ReplaceToken(
                token,
                &serde_json::to_value(&data).unwrap(),
            ))?;
        Ok(())
    }
    pub fn add_key(
        &mut self,
        secret: &[u8],
        old_secret: &[u8],
        iteration_time: Option<u64>,
        credential_id: Option<&[u8]>,
    ) -> Fido2LuksResult<u32> {
        if let Some(millis) = iteration_time {
            self.device.settings_handle().set_iteration_time(millis)
        }
        let slot = self
            .device
            .keyslot_handle()
            .add_by_passphrase(None, old_secret, secret)?;
        if let Some(id) = credential_id {
            self.device.token_handle().json_set(TokenInput::AddToken(
                &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
            ))?;
        }
        Ok(slot)
    }
    pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
        let mut destroyed = 0;
        let mut tokens = Vec::new();
        for slot in 0..256 {
            match self.device.keyslot_handle().status(slot)? {
                KeyslotInfo::Inactive => continue,
                KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
                    if self.is_luks2()? {
                        if let Some((id, _token)) = self.find_token(slot)? {
                            tokens.push(id);
                        }
                    }
                    self.device.keyslot_handle().destroy(slot)?;
                    destroyed += 1;
                }
                KeyslotInfo::ActiveLast => break,
                _ => (),
            }
            if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
                break;
            }
        }
        // Ensure indices stay valid
        tokens.sort();
        for token in tokens.iter().rev() {
            self.remove_token(*token)?;
        }
        Ok(destroyed)
    }
    pub fn replace_key(
        &mut self,
        secret: &[u8],
        old_secret: &[u8],
        iteration_time: Option<u64>,
        credential_id: Option<&[u8]>,
    ) -> Fido2LuksResult<u32> {
        if let Some(millis) = iteration_time {
            self.device.settings_handle().set_iteration_time(millis)
        }
        // Use activate dry-run to locate keyslot
        let slot = self.device.activate_handle().activate_by_passphrase(
            None,
            None,
            old_secret,
            CryptActivateFlags::empty(),
        )?;
        // slot should stay the same but better be safe than sorry
        let slot = self.device.keyslot_handle().change_by_passphrase(
            Some(slot),
            Some(slot),
            old_secret,
            secret,
        )? as u32;
        if let Some(id) = credential_id {
            if self.is_luks2()? {
                let token = self.find_token(slot)?.map(|(t, _)| t);
                let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
                if let Some(token) = token {
                    self.device
                        .token_handle()
                        .json_set(TokenInput::ReplaceToken(token, &json))?;
                } else {
                    self.device
                        .token_handle()
                        .json_set(TokenInput::AddToken(&json))?;
                }
            }
        }
        Ok(slot)
    }
    pub fn activate(
        &mut self,
        name: &str,
        secret: &[u8],
        slot_hint: Option<u32>,
        dry_run: bool,
    ) -> Fido2LuksResult<u32> {
        self.device
            .activate_handle()
            .activate_by_passphrase(
                Some(name).filter(|_| !dry_run),
                slot_hint,
                secret,
                CryptActivateFlags::empty(),
            )
            .map_err(LuksError::activate)
    }
    pub fn activate_token(
        &mut self,
        name: &str,
        secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
        slot_hint: Option<u32>,
        dry_run: bool,
    ) -> Fido2LuksResult<u32> {
        if !self.is_luks2()? {
            return Err(LuksError::Luks2Required.into());
        }
        let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
        for token in self.tokens()? {
            let token = match token {
                Ok((_id, t)) => t,
                _ => continue, // An corrupted token should't lock the user out
            };
            let slots = || {
                token
                    .keyslots
                    .iter()
                    .filter_map(|slot| slot.parse::<u32>().ok())
            };
            for cred in token.credential.iter() {
                creds
                    .entry(cred.clone())
                    .or_insert_with(|| slots().collect::<HashSet<u32>>())
                    .extend(slots());
            }
        }
        if creds.is_empty() {
            return Err(Fido2LuksError::LuksError {
                cause: LuksError::NoToken,
            });
        }
        let (secret, credential) = secret(creds.keys().cloned().collect())?;
        let empty;
        let slots = if let Some(slots) = creds.get(&credential) {
            slots
        } else {
            empty = HashSet::new();
            &empty
        };
        //Try slots associated with the credential used
        let slots = slots.iter().cloned().map(Option::Some).chain(
            std::iter::once(slot_hint) // Try slot hint if there is one
                .take(slot_hint.is_some() as usize)
                .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
        );
        for slot in slots {
            match self.activate(name, &secret, slot, dry_run) {
                Err(Fido2LuksError::WrongSecret) => (),
                res => return res,
            }
        }
        Err(Fido2LuksError::WrongSecret)
    }
    Ok(destroyed)
 }
-pub fn replace_key<P: AsRef<Path>>(
+#[derive(Debug, Clone, Serialize, Deserialize)]
-    path: P,
+pub struct Fido2LuksToken {
-    secret: &[u8],
+    #[serde(rename = "type")]
-    old_secret: &[u8],
+    pub type_: String,
-    iteration_time: Option<u64>,
+    pub credential: HashSet<String>,
-) -> Fido2LuksResult<u32> {
+    pub keyslots: HashSet<String>,
-    let mut device = load_device_handle(path)?;
+}
-    // Set iteration time not sure wether this applies to luks2 as well
+
-    if let Some(millis) = iteration_time {
+impl Fido2LuksToken {
-        device.settings_handle().set_iteration_time(millis)
+    pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
-    }
+        Self::with_credentials(std::iter::once(credential_id), slot)
-    Ok(device
+    }
-        .keyslot_handle(None)
+
-        .change_by_passphrase(None, None, old_secret, secret)? as u32)
+    pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
        credentials: I,
        slot: u32,
    ) -> Self {
        Self {
            credential: credentials
                .into_iter()
                .map(|cred| hex::encode(cred.as_ref()))
                .collect(),
            keyslots: vec![slot.to_string()].into_iter().collect(),
            ..Default::default()
        }
    }
    pub fn default_type() -> &'static str {
        "fido2luks"
    }
 }
 impl Default for Fido2LuksToken {
    fn default() -> Self {
        Self {
            type_: Self::default_type().into(),
            credential: HashSet::new(),
            keyslots: HashSet::new(),
        }
    }
 }
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,51 +1,27 @@
 #[macro_use]
 extern crate failure;
 extern crate ctap_hmac as ctap;
 #[macro_use]
 extern crate serde_derive;
 use crate::cli::*;
 use crate::config::*;
 use crate::device::*;
 use crate::error::*;
 use std::io;
 use std::path::PathBuf;
 use std::process::exit;
 mod cli;
-mod config;
+pub mod cli_args;
 mod device;
 mod error;
 mod luks;
 mod util;
 fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
    util::sha256(&[salt, hmac_result])
 }
 fn main() -> Fido2LuksResult<()> {
    match run_cli() {
        Err(e) => {
            #[cfg(debug_assertions)]
            eprintln!("{:?}", e);
            #[cfg(not(debug_assertions))]
            eprintln!("{}", e);
            exit(e.exit_code())
        }
        _ => exit(0),
    }
 }
 #[cfg(test)]
 mod test {
    use super::*;
    #[test]
    fn test_assemble_secret() {
        assert_eq!(
            assemble_secret(b"abc", b"def"),
            [
                46, 82, 82, 140, 142, 159, 249, 196, 227, 160, 142, 72, 151, 77, 59, 62, 180, 36,
                33, 47, 241, 94, 17, 232, 133, 103, 247, 32, 152, 253, 43, 19
            ]
        )
    }
 }
--- a/src/setup.rs
+++ b/src/setup.rs
--- a/src/util.rs
+++ b/src/util.rs
@@ -4,7 +4,7 @@ use std::fs::File;
 use std::io::Read;
 use std::path::PathBuf;
-pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] {
+pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
    let mut digest = digest::Context::new(&digest::SHA256);
    for m in messages.iter() {
        digest.update(m);
@@ -13,9 +13,17 @@ pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] {
    secret.as_mut().copy_from_slice(digest.finish().as_ref());
    secret
 }
-
+pub fn read_password_tty(q: &str, verify: bool) -> Fido2LuksResult<String> {
-pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
+    read_password(q, verify, true)
-    match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
+}
 pub fn read_password(q: &str, verify: bool, tty: bool) -> Fido2LuksResult<String> {
    let res = if tty {
        rpassword::read_password_from_tty(Some(&[q, ": "].join("")))
    } else {
        print!("{}: ", q);
        rpassword::read_password()
    }?;
    match res {
        ref pass
            if verify
                && &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))?
@@ -23,7 +31,7 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
        {
            Err(Fido2LuksError::AskPassError {
                cause: AskPassError::Mismatch,
-            })?
+            })
        }
        pass => Ok(pass),
    }
Author	SHA1	Message	Date
shimun	4bac5142cc	chore: update flake.lock	2021-12-11 11:43:25 +01:00
shimun	0c9d001bd0	flake.lock: Update Flake input changes: * Updated 'naersk': 'github:nmattia/naersk/6e149bfd726a8ebefa415f2d713ba6d942435abd' -> 'github:nmattia/naersk/df71f5e4babda41cd919a8684b72218e2e809fa9' * Updated 'nixpkgs': 'github:NixOS/nixpkgs/2118cf551b9944cfdb929b8ea03556f097dd0381' -> 'github:NixOS/nixpkgs/01ee7961039dabf15caca202c3416451e5290ff4' * Updated 'utils': 'github:numtide/flake-utils/3982c9903e93927c2164caa727cd3f6a0e6d14cc' -> 'github:numtide/flake-utils/997f7efcb746a9c140ce1f13c72263189225f482'	2021-09-05 16:11:04 +02:00
shimun	38b3a77b78	added: Dockerimage for .deb build	2021-07-28 19:27:42 +02:00
shimun	57bad4a625	Merge remote-tracking branch 'gh/master' into 0.3.0	2021-07-28 13:19:25 +02:00
shimun	b2e4950db5	update ctap_hmac	2021-07-26 18:46:10 +02:00
shimun	a33d591cbb	Merge branch 'master' into 0.3.0	2021-07-16 19:08:23 +02:00
shimun	f53096dc5b	password helper: inherit stdin, stderr should make fido2luks much easier to use in boot scripts since it will allow for usage as follows: `fido2luks open-token /dev/disk/by-uuid/sda1 test 'bash -c "read -p Pass PW 1>&2; echo $PW"'` which will read the password from the current terminal	2021-07-16 15:23:11 +02:00
shimun	5496c4e61b	always set credential name	2021-07-14 15:47:23 +02:00
shimun	51fa26b7d5	bump version	2021-07-14 12:24:58 +02:00
Vyacheslav Konovalov	a3696962e8	Support for initcpio (#31 ) * Add initcpio hook and install script * Make PIN optional * Add README for initcpio * Fix PKGBUILD, add install of initcpio * Fix README for initcpio	2021-07-14 12:23:32 +02:00
shimun	a75d1af01b	added: hydra job All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2021-04-18 19:20:11 +02:00
shimun	534d36bb13	Merge branch 'master' into HEAD All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2021-03-01 20:04:43 +01:00
shimunn	7e6b33ae7f	Theory of operation (#30 ) All checks were successful continuous-integration/drone/push Build is passing Details	2021-02-28 12:56:57 +01:00
shimun	b3495c45f3	add nix flake	2021-02-08 16:06:56 +01:00
shimunn	17ca487b85	Obvious password promt (#29 ) * obvious password promt * prompt interaction with FIDO device	2021-02-08 15:58:41 +01:00
shimun	b0404f2fc1	minimum YubiKey firmware version Some checks reported errors continuous-integration/drone/push Build encountered an error Details	2020-11-17 13:05:45 +01:00
shimunn	de21e3ef8d	Merge pull request #21 from aacebedo/master Added an helper script to be used with pam_mount	2020-11-01 21:18:13 +01:00
Alexandre ACEBEDO	8a7b3addbb	Added an helper script to be used with pam_mount	2020-11-01 18:21:04 +01:00
shimun	39b90d27b7	update keyscript Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-27 15:54:18 +01:00
shimun	f37ad8e78b	update readme Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-27 15:53:21 +01:00
shimun	543198a5fe	auto_credential -> generate_credential	2020-10-27 15:44:26 +01:00
shimun	d8aca91136	generate all completions by default	2020-10-27 15:03:05 +01:00
shimun	06f97592c1	dectect enabled PIN Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-18 20:48:30 +02:00
shimun	8e2948fbb9	use CARGO_MANIFEST_DIR instead of PWD Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-18 20:01:43 +02:00
shimun	be2639d9fe	tolerate generated bash-completion scripts Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-18 16:47:36 +02:00
shimun	6f9941a107	readable Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-18 16:39:28 +02:00
shimun	81c2bbf692	changelog Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-18 15:47:30 +02:00
shimun	516b590739	describe dry-run	2020-10-18 15:46:56 +02:00
shimun	2ed7f8141f	verbose Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-18 15:39:30 +02:00
shimun	8e98bf024e	read_pin Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/pr Build is failing Details	2020-10-17 18:38:21 +02:00
shimun	49a7512743	dry-run Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-17 18:27:12 +02:00
shimun	a264f4c9eb	rewrite helper Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/pr Build is failing Details	2020-10-17 17:58:28 +02:00
shimun	a5c0840a59	update deps	2020-10-13 23:00:44 +02:00
shimun	ab23fe5ac9	remove env attr to keep --disable-token as flag Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-13 21:29:06 +02:00
shimun	4b09fcb6cb	honour disable-token	2020-10-13 21:28:47 +02:00
shimun	e5c6ca9237	use claps variant list	2020-10-13 19:29:05 +02:00
shimun	716a845e55	open-token alias Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is failing Details	2020-10-13 19:23:02 +02:00
shimun	24a06b9085	doc	2020-10-13 19:18:35 +02:00
shimun	e7e44cd61b	fix test All checks were successful continuous-integration/drone/push Build is passing Details	2020-10-13 14:17:22 +02:00
shimun	ae96d3ba5d	remove dbg All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2020-10-11 22:41:18 +02:00
shimun	88b9677e7a	4 All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2020-10-11 22:23:45 +02:00
shimun	99a536f2d4	3 All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2020-10-11 22:03:07 +02:00
shimun	8954de3558	2 Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/pr Build is failing Details	2020-10-11 21:11:42 +02:00
shimun	bd29452980	use prebuild image	2020-10-11 19:05:41 +02:00
shimun	e9510216ef	1 Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/pr Build is failing Details	2020-10-11 18:33:59 +02:00
shimun	0ec859f4a6	remove trailing newline from pin Some checks failed continuous-integration/drone/push Build is failing Details	2020-09-25 12:40:34 +02:00
shimun	55bae4161e	add credentials situated in the luks header to credential list Some checks failed continuous-integration/drone/push Build is failing Details	2020-09-19 18:23:21 +02:00
shimun	086c1a0594	file path must be relative to src Some checks failed continuous-integration/drone/push Build is failing Details	2020-09-05 19:35:36 +02:00
shimun	c2e38eb06f	generate shell completions during build Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is failing Details	2020-09-05 18:52:07 +02:00
shimun	03ef5721e0	bump version All checks were successful continuous-integration/drone/tag Build is passing Details continuous-integration/drone/push Build is passing Details	2020-09-03 14:56:36 +02:00
shimun	008e644024	auto detect current version	2020-09-03 14:56:22 +02:00
shimun	e1f762ddc9	add subcommand to generate bash completions All checks were successful continuous-integration/drone/push Build is passing Details	2020-09-03 14:45:52 +02:00
Saravanan Palanisamy	2266754a95	create PKGBUILD file for archlinux package (#17 ) Some checks reported errors continuous-integration/drone/push Build encountered an error Details * create PKGBUILD file * use build & install method * add package dependencies	2020-09-02 14:14:40 +02:00
shimun	8811cff6d1	0.2.12 All checks were successful continuous-integration/drone/tag Build is passing Details	2020-08-31 00:04:24 +02:00
shimun	99787b614c	Merge branch 'pin_source' into master Some checks reported errors continuous-integration/drone/push Build encountered an error Details	2020-08-31 00:00:42 +02:00
shimun	ee28f87148	always print the full error message All checks were successful continuous-integration/drone/push Build is passing Details	2020-08-30 17:09:57 +02:00
shimun	196356fe3b	structopt does not allow for flags to be linked to env atm	2020-08-25 21:47:25 +02:00
shimun	3ff7e698bd	add flag to read pin from alternate source Some checks reported errors continuous-integration/drone/push Build encountered an error Details	2020-08-25 21:26:30 +02:00
shimun	04d0d60fb3	use ubuntu as base image Some checks reported errors continuous-integration/drone/tag Build is passing Details continuous-integration/drone/push Build was killed Details	2020-08-16 15:30:20 +02:00
shimun	e64f777c54	use sh to run password helper	2020-08-16 13:42:54 +02:00
shimun	8465949b44	spell promPt correctly	2020-08-16 13:42:35 +02:00
shimunn	06bed03e7b	Merge pull request #13 from Andrew-Finn/master Added documentation and tweaked readme	2020-08-14 12:40:02 +02:00
Andrew-Finn	36f82e7c3a	Added and edited documentation	2020-08-14 11:36:25 +01:00
shimun	cd90564f60	protect fido2luks.conf from being overwritten Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is failing Details	2020-08-11 23:08:12 +02:00
shimun	0f6d79a7e4	get plymouth to display a message Some checks failed continuous-integration/drone/push Build is failing Details	2020-08-11 22:41:21 +02:00
shimun	4136b1bfad	relicense to MPL Some checks failed continuous-integration/drone/push Build is failing Details	2020-07-27 09:22:02 +02:00
shimun	81016a1a42	require MPL for new contributions Some checks failed continuous-integration/drone/push Build is failing Details	2020-07-26 21:11:03 +02:00
shimun	840868468b	cargo-deb meta All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-04 21:32:21 +02:00
shimun	97880e4f41	refuse removal while crypttab depends on keyscript All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 16:21:35 +02:00
shimun	e798ba5c70	remove keyscript aswell All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 15:59:12 +02:00
shimun	298e05fed7	initramfs-tools All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 15:55:23 +02:00
shimun	a498e1416f	automate cargo publish Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is failing Details	2020-06-23 23:55:07 +02:00
shimun	92e413de50	refactored luks operations All checks were successful continuous-integration/drone/push Build is passing Details	2020-06-22 20:47:19 +00:00
shimun	023399bb14	use unstable cryptsetup Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-22 18:17:10 +02:00
shimun	a53a430c23	update drone Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-21 22:16:45 +02:00
shimun	5f107cd337	add non existing token Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-19 20:09:36 +02:00
shimun	ddfd24a098	ensure replace_key uses the same slot	2020-06-19 20:05:05 +02:00
shimun	743edf668a	document --token	2020-06-13 14:35:46 +02:00
shimun	4507107fac	update libcryptsetup-rs	2020-06-10 13:50:28 +02:00
shimun	a8482c50a2	handle tokens when replacing	2020-06-08 19:22:19 +02:00
shimun	09be5ef551	assemble secret in correct order	2020-06-08 18:08:24 +02:00
shimun	6f6c84ddba	skip luks2 check until underlying issue is fixed	2020-06-07 14:14:51 +02:00
shimun	5a05cad695	more precise description	2020-06-06 23:39:23 +02:00
shimun	d8d24b40f5	Merge branch 'cli_reorg'	2020-06-06 23:37:22 +02:00
shimun	c1a82b9ae6	update libcryptsetup_rs to 0.4.0	2020-06-06 22:43:18 +02:00
shimun	a26b79bcd6	reduced redundant code	2020-05-05 23:53:50 +02:00
shimun	f774580c9c	update to current api	2020-05-05 23:28:44 +02:00
shimun	69732a1ad6	restore order	2020-04-29 20:33:28 +02:00
shimun	b8ae9d91f0	rudimentary pin support	2020-04-29 19:56:18 +02:00
shimun	fcdd2a2d3d	add option to specify keyslot	2020-04-29 18:55:25 +02:00
shimun	c3d6425e2d	reorganised cli	2020-04-29 18:50:55 +02:00
shimun	0b19760175	hint slots	2020-04-28 19:09:53 +02:00
shimun	2ec8679c47	open token	2020-04-28 14:27:14 +02:00
shimun	65e1dead8b	remove token	2020-04-27 22:07:00 +02:00
shimun	478fb5e036	store luks token	2020-04-27 19:26:21 +02:00
shimun	1547f5e199	get format	2020-04-27 18:12:06 +02:00
shimun	5c0364587e	update ctap	2020-04-26 18:58:37 +02:00
shimun	9307503bdc	applied clippy lints	2020-04-07 20:06:24 +02:00
shimun	b94f45d1ff	patch secret_gen before obtaing first secret	2020-04-06 23:33:41 +02:00
shimun	c8fb636846	mention clang build dependency	2020-04-06 22:52:15 +02:00
shimun	49e2835f60	enable fido requests to be sent to multiple devices at once	2020-04-06 21:38:11 +02:00
shimun	d5c0d48f03	allow another fido device to be used as previous secret	2020-04-06 20:18:00 +02:00
shimun	ad2451f548	add timeout	2020-04-05 23:24:18 +02:00
shimun	bb7ee7c1ce	request password only once if possible	2020-04-03 22:02:05 +02:00
shimun	0ba77963d2	update ctap_hmac	2020-04-02 17:22:15 +02:00
shimun	1658800553	request_multiple	2020-04-01 20:24:49 +02:00
shimun	a394b7d1d1	libcryptsetup-rs patch	2020-03-28 14:54:36 +01:00
shimun	c99d7f562d	support luks2	2020-03-27 20:08:54 +01:00
shimun	c4f781e6e3	only process keyslots within a given range	2020-03-27 20:03:42 +01:00