wip: deb VM

should make fido2luks much easier to use in boot scripts since it will
allow for usage as follows:

`fido2luks open-token /dev/disk/by-uuid/sda1 test 'bash -c "read -p Pass PW 1>&2; echo $PW"'`

which will read the password from the current terminal

.drone.yml

@@ -8,22 +8,20 @@ steps:
      - rustup component add rustfmt
      - cargo fmt --all -- --check
  - name: test
-   image: ubuntu:focal
+   image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
    environment:
     DEBIAN_FRONTEND: noninteractive
    commands:
-    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev 
     - cargo test --locked
  - name: publish
-   image: ubuntu:focal
+   image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
    environment:
     DEBIAN_FRONTEND: noninteractive
     CARGO_REGISTRY_TOKEN:
      from_secret: cargo_tkn
    commands:
     - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev 
+    - cargo package --all-features --allow-dirty
-    - cargo package --all-features
+    - cargo publish --all-features --allow-dirty
-    - cargo publish --all-features
    when:
     event: tag

CHANGELOG.md

@@ -0,0 +1,11 @@
+## 0.3.0
+
+* LUKS2 Tokens are now supported by every subcommand
+* `<credential>` has been converted into the flag `--creds`  
+credentials provided by `--creds` will be supplemented from the LUKS header unless this is disabled by `--disable-token`
+* `fido2luks add-key` will take an `--auto-cred` flag which allows for credentials to be generated and stored without having to use `fido2luks credential`  
+`fido2luks replace-key` will allow for credentials to be removed using the `--remove-cred` flag respectively 
+* Removed `fido2luks open-token` subcommand  
+  `fido2luks open` now fulfills both functions
+* Added `fido2luks open --dry-run` flag, to perform the whole procedure apart from mounting the LUKS volume
+* Added an `--verbose` flag to display additional information like credentials and keyslots used if desired

Cargo.lock

@@ -86,7 +86,7 @@ dependencies = [
  "lazycell",
  "log",
  "peeking_take_while",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
  "regex",
  "rustc-hash",
@@ -319,10 +319,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
 dependencies = [
  "fnv",
  "ident_case",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
  "strsim 0.9.3",
- "syn 1.0.40",
+ "syn 1.0.73",
 ]
 
 [[package]]
@@ -333,7 +333,7 @@ checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
  "darling_core",
  "quote 1.0.7",
- "syn 1.0.40",
+ "syn 1.0.73",
 ]
 
 [[package]]
@@ -344,9 +344,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
 dependencies = [
  "darling",
  "derive_builder_core",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
- "syn 1.0.40",
+ "syn 1.0.73",
 ]
 
 [[package]]
@@ -356,9 +356,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
 dependencies = [
  "darling",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
- "syn 1.0.40",
+ "syn 1.0.73",
 ]
 
 [[package]]
@@ -396,15 +396,15 @@ version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
- "syn 1.0.40",
+ "syn 1.0.73",
  "synstructure",
 ]
 
 [[package]]
 name = "fido2luks"
-version = "0.2.19"
+version = "0.3.0"
 dependencies = [
  "ctap_hmac",
  "failure",
@@ -642,9 +642,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
 dependencies = [
  "proc-macro-error-attr",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
- "syn 1.0.40",
+ "syn 1.0.73",
  "version_check",
 ]
 
@@ -654,7 +654,7 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
  "version_check",
 ]
@@ -670,9 +670,9 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.20"
+version = "1.0.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "175c513d55719db99da20232b06cda8bab6b83ec2d04e3283edf0213c37c1a29"
+checksum = "f0d8caf72986c1a598726adc988bb5984792ef84f5ee5aa50209145ee8077038"
 dependencies = [
  "unicode-xid 0.2.1",
 ]
@@ -698,7 +698,7 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
 ]
 
 [[package]]
@@ -945,19 +945,19 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
 
 [[package]]
 name = "serde"
-version = "1.0.115"
+version = "1.0.126"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
+checksum = "ec7505abeacaec74ae4778d9d9328fe5a5d04253220a85c4ee022239fc996d03"
 
 [[package]]
 name = "serde_derive"
-version = "1.0.115"
+version = "1.0.126"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
+checksum = "963a7dbc9895aeac7ac90e74f34a5d5261828f79df35cbed41e10189d3804d43"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
- "syn 1.0.40",
+ "syn 1.0.73",
 ]
 
 [[package]]
@@ -1008,9 +1008,9 @@ checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f"
 dependencies = [
  "heck",
  "proc-macro-error",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
- "syn 1.0.40",
+ "syn 1.0.73",
 ]
 
 [[package]]
@@ -1026,11 +1026,11 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "1.0.40"
+version = "1.0.73"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "963f7d3cc59b59b9325165add223142bbf1df27655d07789f109896d353d8350"
+checksum = "f71489ff30030d2ae598524f61326b902466f72a0fb1a8564c001cc63425bcc7"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
  "unicode-xid 0.2.1",
 ]
@@ -1041,9 +1041,9 @@ version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.27",
  "quote 1.0.7",
- "syn 1.0.40",
+ "syn 1.0.73",
  "unicode-xid 0.2.1",
 ]
 

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.19"
+version = "0.3.0"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
@@ -20,10 +20,10 @@ ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"
-libcryptsetup-rs = "0.4.1"
+libcryptsetup-rs = "0.4.2"
 serde_json = "1.0.51"
-serde_derive = "1.0.106"
+serde_derive = "1.0.116"
-serde = "1.0.106"
+serde = "1.0.116"
 
 [build-dependencies]
 ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
@@ -48,7 +48,6 @@ extended-description = "Decrypt your LUKS partition using a FIDO2 compatible aut
 assets = [
     ["target/release/fido2luks", "usr/bin/", "755"],
     ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
-    ["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
     ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
     ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
     ["initramfs-tools/fido2luks.conf", "etc/", "644"],

README_NEW.md

@@ -0,0 +1,79 @@
+# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
+
+This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
+
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
+
+## Installation
+
+### From Source
+
+Installing from source requires the following dependencies:
+
+Ubuntu: `cargo, libclang-dev, libcryptsetup-dev >= 2.2`
+
+Fedora: `cargo, clang-devel, cryptsetup-devel`
+
+To compile the fido2luks binary you can simply run `sudo cargo install --root /usr fido2luks` but since you may want to install the scripts included it this repo as well,
+it's recommended to clone the repo and install from there.
+
+``
+git clone https://github.com/shimunn/fido2luks.git
+cargo install --root /usr --path fido2luks
+``
+
+Continue with further instructions for [Ubuntu](initramfs-tools) or [Fedora](dracut)
+
+### From Package
+
+Ubuntu: see [releases](https://github.com/shimunn/fido2luks/releases)
+
+NixOS: https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2
+
+ArchLinux: 
+* [AUR](https://aur.archlinux.org/packages/fido2luks/)
+* [Git](PKGBUILD)
+
+Fedora: coming soon
+
+## Credentials
+
+Depending on the version of cryptsetup and the age of your installation your LUKS header might be in the LUKS2 format already if that's the case fido2luks will be able to spare you from dealing with just another config file by simply storeing all the required information within your LUKS header. 
+If your header is still using the LUKS1 format you may convert it:
+
+```
+cryptsetup convert --type luks2 <device>
+```
+
+if you want to keep using LUKS1 due to other software such as pam_mount not being compatible with LUKS2 at the moment, you will have to generate credentials by hand an add them to `/etc/fido2luks.conf` otherwise you can skip this step.
+```
+fido2luks credential [optional name]
+```
+the generated hexadecimal credential can then be added to `FIDO2LUKS_CREDENTIAL_ID=` in `/etc/fido2luks.conf` multiple credentials can be separated by comma.
+
+## Adding a Key
+
+If you had to generate a credential in the previous step you'll have to provide it to the following commands as a parameter or via an environment variable:
+
+```
+set -a
+. /etc/fido2luks.conf
+```
+
+To then add the key you need to have your current password/keyfile ready:
+
+without having generated a credential in the previous step: `fido2luks -i add-key --gen-cred <device>`
+
+with a keyfile: `fido2luks -i add-key --keyfile <path-to-keyfile <device>`
+
+if you've confirmed at a later stage that everything works as expected you may want to remove your keyfile/password by running the previous commands with the `--exclusive` flag which will remove all other keys from the device.
+
+## Replacing a Key
+
+with password: `fido2luks -i replace-key <device>`
+
+with keyfile: `fido2luks -i replace-key -d <path-to-keyfile> <device>`
+
+with another fido2 derived key: `fido2luks -i replace-key -f <device>`
+
+

build.rs

@@ -19,6 +19,10 @@ use structopt::StructOpt;
 fn main() {
     // generate completion scripts, zsh does panic for some reason
     for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
-        Args::clap().gen_completions(env!("CARGO_PKG_NAME"), Shell::from_str(shell).unwrap(), ".");
+        Args::clap().gen_completions(
+            env!("CARGO_PKG_NAME"),
+            Shell::from_str(shell).unwrap(),
+            env!("CARGO_MANIFEST_DIR"),
+        );
     }
 }

flake.lock

@@ -1,5 +1,21 @@
 {
   "nodes": {
+    "cargo-deb": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1627137192,
+        "narHash": "sha256-zDAwiETJquiViEvBKMuI9WWgSGhVDscL/m1ufKJENBw=",
+        "owner": "mmstick",
+        "repo": "cargo-deb",
+        "rev": "f603d105b4641e00640e46b189c6ee0c8f084de2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mmstick",
+        "repo": "cargo-deb",
+        "type": "github"
+      }
+    },
     "naersk": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1612192764,
+        "lastModified": 1623927034,
-        "narHash": "sha256-7EnLtZQWP6511G1ZPA7FmJlqAr3hWsAYb24tvTvJ/ec=",
+        "narHash": "sha256-sGxlmfp5eXL5sAMNqHSb04Zq6gPl+JeltIZ226OYN0w=",
         "owner": "nmattia",
         "repo": "naersk",
-        "rev": "6e149bfd726a8ebefa415f2d713ba6d942435abd",
+        "rev": "e09c320446c5c2516d430803f7b19f5833781337",
         "type": "github"
       },
       "original": {
@@ -22,11 +38,12 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1611910458,
+        "lastModified": 1627245147,
-        "narHash": "sha256-//j54S14v9lp3YKizS1WZW3WKwLjGTzvwhHfUAaRBPQ=",
+        "narHash": "sha256-CQzH/4Mbhcx1HD+dtD7pZ0dHUZvX4eKN9b8Ifzz4gC4=",
-        "path": "/nix/store/z5g10k571cc5q9yvr0bafzswp0ggawjw-source",
+        "owner": "NixOS",
-        "rev": "6e7f25001fe6874f7ae271891f709bbf50a22c45",
+        "repo": "nixpkgs",
-        "type": "path"
+        "rev": "23098f20376cd1c874af476e5d8ef9169105b020",
+        "type": "github"
       },
       "original": {
         "id": "nixpkgs",
@@ -35,6 +52,7 @@
     },
     "root": {
       "inputs": {
+        "cargo-deb": "cargo-deb",
         "naersk": "naersk",
         "nixpkgs": "nixpkgs",
         "utils": "utils"
@@ -42,11 +60,11 @@
     },
     "utils": {
       "locked": {
-        "lastModified": 1610051610,
+        "lastModified": 1623875721,
-        "narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=",
+        "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc",
+        "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
         "type": "github"
       },
       "original": {

flake.nix

@@ -3,13 +3,17 @@
 
   inputs = {
     utils.url = "github:numtide/flake-utils";
+    cargo-deb = {
+      flake = false;
+      url = "github:mmstick/cargo-deb";
+    };
     naersk = {
       url = "github:nmattia/naersk";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
-  outputs = { self, nixpkgs, utils, naersk }:
+  outputs = { self, nixpkgs, utils, naersk, cargo-deb }:
     let
       root = ./.;
       pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
@@ -28,6 +32,45 @@
           packages.${pname} = naersk-lib.buildPackage {
             inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
           };
+
+          packages."${pname}-deb" =
+            let
+              cargoDeb = naersk-lib.buildPackage {
+                pname = "cargo-deb";
+                root = cargo-deb;
+              };
+              pkg = packages.${pname};
+              vm = pkgs.vmTools.diskImageFuns.ubuntu1804x86_64 { extraPackages = [ "cargo" "cryptsetup" "libclang-dev" "libcryptsetup-dev" ]; };
+              makefile = pkgs.writeText "Makefile" "
+                .PHONY: install
+
+                cargo-deb:
+                        cargo install --debug --path cargo-deb
+
+                install: cargo-deb
+                        cargo-deb
+                        mkdir -p debs
+                        cp target/debian/*.deb debs/
+                  
+              ";
+              src = pkgs.runCommandLocal "${pname}-vendored" {} ''
+                mkdir -p $out/.cargo $out/cargo-deb/.cargo
+                printf '${pkg.cargoconfig}' > $out/.cargo/config.toml; 
+                printf '${cargoDeb.cargoconfig}' > $out/cargo-deb/.cargo/config.toml;
+                printf '.PHONY: install\ninstall:\n\tcargo install --debug --path cargo-deb\n\tcargo-deb\n\tmkdir -p debs\n\tcp target/debian/*.deb debs/' > $out/Makefile
+                cp -r ${pkg.src}/. $out/
+                cp -r ${cargoDeb.src}/. $out/cargo-deb/
+              '';
+              args = {
+                diskImage = vm;
+                inherit src;
+                name = pname;
+                buildInputs = [ ];
+                meta.description = "No descr";
+              };
+            in
+            pkgs.releaseTools.debBuild args;
+
           defaultPackage = packages.${pname};
 
           # `nix run`
@@ -46,6 +89,8 @@
             '';
           };
 
+          hydraJobs = checks // packages;
+
           # `nix develop`
           devShell = pkgs.mkShell {
             nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;

initramfs-tools/Dockerfile

@@ -0,0 +1,15 @@
+FROM rust:bullseye
+
+RUN cargo install -f cargo-deb --debug --version 1.30.0
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt update && apt install -y cryptsetup pkg-config libclang-dev libcryptsetup-dev && mkdir -p /build/fido2luks
+
+WORKDIR /build/fido2luks
+
+ENV CARGO_TARGET_DIR=/build/fido2luks/target
+
+RUN cargo install fido2luks -f
+
+CMD bash -xc 'cp -rf /code/* /build/fido2luks && cargo-deb && cp target/debian/*.deb /out'

initramfs-tools/build-deb.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -ex
+
+docker build . -t fido2luks-deb
+
+mkdir -p debs
+
+docker run -ti -v "$(pwd)/..:/code:ro" -v "$(pwd)/debs:/out" fido2luks-deb

initramfs-tools/keyscript.sh

@@ -7,8 +7,4 @@ if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
 	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
 fi
 
-if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
+fido2luks print-secret --bin "$CRYPTTAB_SOURCE" $([ "$FIDO2LUKS_USE_TOKEN" -eq 0 ] && printf "--disable-token")
-	export FIDO2LUKS_CREDENTIAL_ID="$FIDO2LUKS_CREDENTIAL_ID,$(fido2luks token list --csv $CRYPTTAB_SOURCE)"
-fi
-
-fido2luks print-secret --bin

src/cli.rs

@@ -2,33 +2,23 @@ use crate::error::*;
 use crate::luks::{Fido2LuksToken, LuksDevice};
 use crate::util::sha256;
 use crate::*;
+pub use cli_args::Args;
 use cli_args::*;
-
-use structopt::clap::Shell;
-use structopt::StructOpt;
-
 use ctap::{FidoCredential, FidoErrorKind};
-
+use std::borrow::Cow;
-use std::io::{Read, Write};
+use std::collections::HashSet;
+use std::io::Write;
+use std::iter::FromIterator;
+use std::path::Path;
 use std::str::FromStr;
 use std::thread;
 use std::time::Duration;
-
-use std::borrow::Cow;
-use std::collections::HashSet;
-use std::fs::File;
 use std::time::SystemTime;
+use structopt::clap::Shell;
+use structopt::StructOpt;
 
-pub use cli_args::Args;
+fn read_pin() -> Fido2LuksResult<String> {
-
+    util::read_password_tty("Authenticator PIN", false)
-fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
-    if let Some(src) = ap.pin_source.as_ref() {
-        let mut pin = String::new();
-        File::open(src)?.read_to_string(&mut pin)?;
-        Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline
-    } else {
-        util::read_password("Authenticator PIN", false)
-    }
 }
 
 fn derive_secret(
@@ -37,6 +27,9 @@ fn derive_secret(
     timeout: u64,
     pin: Option<&str>,
 ) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+    if credentials.is_empty() {
+        return Err(Fido2LuksError::InsufficientCredentials);
+    }
     let timeout = Duration::from_secs(timeout);
     let start = SystemTime::now();
 
@@ -64,7 +57,98 @@ fn derive_secret(
     let (unsalted, cred) =
         perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
 
-    Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
+    let binary = sha256(&[salt, &unsalted[..]]);
+    Ok((binary, cred.clone()))
+}
+
+pub fn extend_creds_device(
+    creds: &[HexEncoded],
+    luks_dev: &mut LuksDevice,
+) -> Fido2LuksResult<Vec<HexEncoded>> {
+    let mut additional = HashSet::new();
+    additional.extend(creds.iter().cloned());
+    for token in luks_dev.tokens()? {
+        for cred in token?.1.credential {
+            let parsed = HexEncoded::from_str(cred.as_str()).map_err(|_e| {
+                Fido2LuksError::HexEncodingError {
+                    string: cred.clone(),
+                }
+            })?;
+            additional.insert(parsed);
+        }
+    }
+    Ok(Vec::from_iter(additional.into_iter()))
+}
+
+pub fn get_input(
+    secret: &SecretParameters,
+    authenticator: &AuthenticatorParameters,
+    interactive: bool,
+    q: &str,
+    verify: bool,
+) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
+    let password_helper = secret
+        .password_helper
+        .as_ref()
+        .map(|helper| move || helper.obtain());
+    let salt = &secret.salt;
+    Ok(if interactive {
+        (
+            if authenticator.pin && may_require_pin()? {
+                Some(read_pin()?)
+            } else {
+                None
+            },
+            salt.obtain_sha256(Some(|| util::read_password_tty(q, verify)))?,
+        )
+    } else {
+        match (
+            authenticator.pin && may_require_pin()?,
+            authenticator.pin_prefixed,
+        ) {
+            (true, false) => (Some(read_pin()?), salt.obtain_sha256(password_helper)?),
+            (true, true) => read_password_pin_prefixed(|| {
+                salt.obtain(password_helper).and_then(|secret| {
+                    String::from_utf8(secret).map_err(|e| Fido2LuksError::from(e))
+                })
+            })?,
+            (false, _) => (None, salt.obtain_sha256(password_helper)?),
+        }
+    })
+}
+
+pub fn read_password_pin_prefixed(
+    prefixed: impl Fn() -> Fido2LuksResult<String>,
+) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
+    let read = prefixed()?;
+    let separator = ':';
+    let mut parts = read.split(separator);
+    let pin = parts.next().filter(|p| p.len() > 0).map(|p| p.to_string());
+    let password = match pin {
+        Some(ref pin) if read.len() > pin.len() => {
+            read.chars().skip(pin.len() + 1).collect::<String>()
+        }
+        Some(_) => String::new(),
+        _ => read
+            .chars()
+            .skip(read.chars().next().map(|c| c == separator).unwrap_or(false) as usize)
+            .collect::<String>(),
+    };
+    Ok((pin, util::sha256(&[password.as_bytes()])))
+}
+
+/// generate an more readable name from common paths
+pub fn derive_credential_name(path: &Path) -> String {
+    match path.file_name() {
+        Some(name)
+            if path
+                .iter()
+                .any(|p| p == "by-label" || p == "by-partlabel" || p == "by-uuid") =>
+        {
+            name.to_string_lossy().as_ref().to_string()
+        }
+        _ => path.display().to_string(),
+    }
 }
 
 pub fn parse_cmdline() -> Args {
@@ -80,6 +164,11 @@ pub fn prompt_interaction(interactive: bool) {
 pub fn run_cli() -> Fido2LuksResult<()> {
     let mut stdout = io::stdout();
     let args = parse_cmdline();
+    let log = |message: &dyn Fn() -> String| {
+        if args.verbose {
+            eprintln!("{}", &*message());
+        }
+    };
     let interactive = args.interactive;
     match &args.command {
         Command::Credential {
@@ -87,8 +176,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             name,
         } => {
             let pin_string;
-            let pin = if authenticator.pin {
+            let pin = if authenticator.pin && may_require_pin()? {
-                pin_string = read_pin(authenticator)?;
+                pin_string = read_pin()?;
                 Some(pin_string.as_ref())
             } else {
                 None
@@ -102,26 +191,44 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             authenticator,
             credentials,
             secret,
+            device,
         } => {
-            let pin_string;
+            let (pin, salt) =
-            let pin = if authenticator.pin {
+                get_input(&secret, &authenticator, args.interactive, "Password", false)?;
-                pin_string = read_pin(authenticator)?;
+            let credentials = if let Some(path) = device {
-                Some(pin_string.as_ref())
+                let mut dev = LuksDevice::load(path)?;
+                let luks2 = dev.is_luks2()?;
+                log(&|| format!("luks2 supported: {}", luks2));
+                extend_creds_device(
+                    credentials
+                        .ids
+                        .clone()
+                        .map(|cs| cs.0)
+                        .unwrap_or_default()
+                        .as_slice(),
+                    &mut dev,
+                )?
             } else {
-                None
+                credentials.ids.clone().map(|cs| cs.0).unwrap_or_default()
             };
-            let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
+            log(&|| {
-                util::read_password_hashed("Password", false)
+                format!(
-            } else {
+                    "credentials: {}",
-                secret.salt.obtain_sha256(&secret.password_helper)
+                    credentials
-            }?;
+                        .iter()
+                        .map(ToString::to_string)
+                        .collect::<Vec<_>>()
+                        .join(", ")
+                )
+            });
             prompt_interaction(interactive);
-            let (secret, _cred) = derive_secret(
+            let (secret, cred) = derive_secret(
-                credentials.ids.0.as_slice(),
+                &credentials,
                 &salt,
                 authenticator.await_time,
-                pin,
+                pin.as_deref(),
             )?;
+            log(&|| format!("credential used: {}", hex::encode(&cred.id)));
             if *binary {
                 stdout.write_all(&secret[..])?;
             } else {
@@ -136,7 +243,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             secret,
             luks_mod,
             existing_secret: other_secret,
-            token,
             ..
         }
         | Command::ReplaceKey {
@@ -146,21 +252,41 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             secret,
             luks_mod,
             replacement: other_secret,
-            token,
             ..
         } => {
-            let pin = if authenticator.pin {
+            let mut luks_dev = LuksDevice::load(&luks.device)?;
-                Some(read_pin(authenticator)?)
+
+            let luks2 = luks_dev.is_luks2()?;
+
+            log(&|| format!("luks2 supported: {}", luks2));
+
+            let credentials = if !luks.disable_token && luks2 {
+                extend_creds_device(
+                    credentials
+                        .ids
+                        .clone()
+                        .map(|cs| cs.0)
+                        .unwrap_or_default()
+                        .as_slice(),
+                    &mut luks_dev,
+                )?
             } else {
-                None
+                credentials.ids.clone().map(|cs| cs.0).unwrap_or_default()
             };
-            let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
+            log(&|| {
-                if interactive || secret.password_helper == PasswordHelper::Stdin {
+                format!(
-                    util::read_password_hashed(q, verify)
+                    "credentials: {}",
-                } else {
+                    credentials
-                    secret.salt.obtain_sha256(&secret.password_helper)
+                        .iter()
-                }
+                        .map(ToString::to_string)
+                        .collect::<Vec<_>>()
+                        .join(", ")
+                )
+            });
+            let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
+                get_input(&secret, &authenticator, args.interactive, q, verify)
             };
+
             let other_secret = |salt_q: &str,
                                 verify: bool|
              -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
@@ -172,41 +298,69 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     OtherSecret {
                         fido_device: true, ..
                     } => {
+                        let (pin, salt) = inputs(salt_q, verify)?;
                         prompt_interaction(interactive);
                         Ok(derive_secret(
-                            &credentials.ids.0,
+                            &credentials,
-                            &salt(salt_q, verify)?,
+                            &salt,
                             authenticator.await_time,
                             pin.as_deref(),
                         )
                         .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
                     }
                     _ => Ok((
-                        util::read_password(salt_q, verify)?.as_bytes().to_vec(),
+                        util::read_password_tty(salt_q, verify)?.as_bytes().to_vec(),
                         None,
                     )),
                 }
             };
-            let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+            let secret = |q: &str,
+                          verify: bool,
+                          credentials: &[HexEncoded]|
+             -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+                let (pin, salt) = inputs(q, verify)?;
                 prompt_interaction(interactive);
-                derive_secret(
+                derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
-                    &credentials.ids.0,
-                    &salt(q, verify)?,
-                    authenticator.await_time,
-                    pin.as_deref(),
-                )
             };
-            let mut luks_dev = LuksDevice::load(&luks.device)?;
             // Non overlap
             match &args.command {
-                Command::AddKey { exclusive, .. } => {
+                Command::AddKey {
+                    exclusive,
+                    generate_credential,
+                    ..
+                } => {
                     let (existing_secret, _) = other_secret("Current password", false)?;
-                    let (new_secret, cred) = secret("Password to be added", true)?;
+                    let (new_secret, cred) = if *generate_credential && luks2 {
+                        let cred = make_credential_id(
+                            Some(derive_credential_name(luks.device.as_path()).as_str()),
+                            (if authenticator.pin && may_require_pin()? {
+                                //TODO: not ideal since it ignores pin-prefixed
+                                Some(read_pin()?)
+                            } else {
+                                None
+                            })
+                            .as_deref(),
+                        )?;
+                        log(&|| {
+                            format!(
+                                "generated credential: {}\ncredential username: {:?}",
+                                hex::encode(&cred.id),
+                                derive_credential_name(luks.device.as_path())
+                            )
+                        });
+                        let creds = vec![HexEncoded(cred.id)];
+                        secret("Password to be added", true, &creds)
+                    } else {
+                        secret("Password to be added", true, &credentials)
+                    }?;
+                    log(&|| format!("credential used: {}", hex::encode(&cred.id)));
                     let added_slot = luks_dev.add_key(
                         &new_secret,
                         &existing_secret[..],
                         luks_mod.kdf_time.or(Some(10)),
-                        Some(&cred.id[..]).filter(|_| *token),
+                        Some(&cred.id[..])
+                            .filter(|_| !luks.disable_token || *generate_credential)
+                            .filter(|_| luks2),
                     )?;
                     if *exclusive {
                         let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
@@ -225,24 +379,42 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     }
                     Ok(())
                 }
-                Command::ReplaceKey { add_password, .. } => {
+                Command::ReplaceKey {
-                    let (existing_secret, _) = secret("Current password", false)?;
+                    add_password,
+                    remove_cred,
+                    ..
+                } => {
+                    let (existing_secret, _prev_cred) =
+                        secret("Current password", false, &credentials)?;
                     let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                     let slot = if *add_password {
                         luks_dev.add_key(
                             &replacement_secret[..],
                             &existing_secret,
                             luks_mod.kdf_time,
-                            cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
+                            cred.as_ref()
+                                .filter(|_| !luks.disable_token)
+                                .filter(|_| luks2)
+                                .map(|cred| &cred.id[..]),
                         )
                     } else {
-                        luks_dev.replace_key(
+                        let slot = luks_dev.replace_key(
                             &replacement_secret[..],
                             &existing_secret,
                             luks_mod.kdf_time,
-                            cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
+                            cred.as_ref()
-                        )
+                                .filter(|_| !luks.disable_token)
+                                .filter(|_| luks2)
+                                .map(|cred| &cred.id[..]),
+                        )?;
+                        if *remove_cred && cred.is_none() {
+                            luks_dev.remove_token_slot(slot)?;
+                        }
+                        Ok(slot)
                     }?;
+                    if let Some(cred) = cred {
+                        log(&|| format!("credential used: {}", hex::encode(&cred.id)));
+                    }
                     println!(
                         "Added to password to device {}, slot: {}",
                         luks.device.display(),
@@ -258,63 +430,71 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             authenticator,
             secret,
             name,
+            credentials,
             retries,
-            ..
+            dry_run,
-        }
-        | Command::OpenToken {
-            luks,
-            authenticator,
-            secret,
-            name,
-            retries,
         } => {
-            let pin_string;
+            let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
-            let pin = if authenticator.pin {
+                get_input(&secret, &authenticator, args.interactive, q, verify)
-                pin_string = read_pin(authenticator)?;
-                Some(pin_string.as_ref())
-            } else {
-                None
-            };
-            let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
-                if interactive || secret.password_helper == PasswordHelper::Stdin {
-                    util::read_password_hashed(q, verify)
-                } else {
-                    secret.salt.obtain_sha256(&secret.password_helper)
-                }
             };
 
             // Cow shouldn't be necessary
             let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
+                let (pin, salt) = inputs("Password", false)?;
                 prompt_interaction(interactive);
                 derive_secret(
                     credentials.as_ref(),
-                    &salt("Password", false)?,
+                    &salt,
                     authenticator.await_time,
-                    pin,
+                    pin.as_deref(),
                 )
             };
 
             let mut retries = *retries;
             let mut luks_dev = LuksDevice::load(&luks.device)?;
+            let luks2 = luks_dev.is_luks2()?;
+            log(&|| format!("luks2 supported: {}", luks2));
             loop {
-                let secret = match &args.command {
+                let slot = if let Some(ref credentials) = credentials.ids {
-                    Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
+                    log(&|| {
-                        .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
+                        format!(
-                    Command::OpenToken { .. } => luks_dev.activate_token(
+                            "credentials: {}",
+                            credentials
+                                .0
+                                .iter()
+                                .map(ToString::to_string)
+                                .collect::<Vec<_>>()
+                                .join(", ")
+                        )
+                    });
+                    secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| {
+                        log(&|| format!("credential used: {}", hex::encode(&cred.id)));
+                        luks_dev.activate(&name, &secret, luks.slot, *dry_run)
+                    })
+                } else if luks2 && !luks.disable_token {
+                    luks_dev.activate_token(
                         &name,
                         Box::new(|credentials: Vec<String>| {
+                            log(&|| format!("credentials: {}", credentials.join(", ")));
                             let creds = credentials
                                 .into_iter()
                                 .flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
                                 .collect::<Vec<_>>();
-                            secret(Cow::Owned(creds))
+                            secret(Cow::Owned(creds)).map(|(secret, cred)| {
-                                .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
+                                log(&|| format!("credential used: {}", hex::encode(&cred.id)));
+                                (secret, hex::encode(&cred.id))
+                            })
                         }),
                         luks.slot,
-                    ),
+                        *dry_run,
-                    _ => unreachable!(),
+                    )
+                } else if luks_dev.is_luks2()? && luks.disable_token {
+                    // disable-token is mostly cosmetic in this instance
+                    return Err(Fido2LuksError::InsufficientCredentials);
+                } else {
+                    return Err(Fido2LuksError::WrongSecret);
                 };
-                match secret {
+                match slot {
                     Err(e) => {
                         match e {
                             Fido2LuksError::WrongSecret if retries > 0 => {}
@@ -322,11 +502,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                                 if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
 
                             e => return Err(e),
-                        }
+                        };
                         retries -= 1;
                         eprintln!("{}", e);
                     }
-                    res => break res.map(|_| ()),
+                    Ok(slot) => {
+                        log(&|| format!("keyslot: {}", slot));
+                        break Ok(());
+                    }
                 }
             }
         }
@@ -396,7 +579,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     }
                 }
                 let count = if tokens.is_empty() {
-                    dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
+                    dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?;
                     1
                 } else {
                     tokens.len()
@@ -404,7 +587,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                 for (id, mut token) in tokens {
                     token
                         .credential
-                        .extend(credentials.ids.0.iter().map(|h| h.to_string()));
+                        .extend(credentials.0.iter().map(|h| h.to_string()));
                     dev.update_token(id, &token)?;
                 }
                 println!("Updated {} tokens", count);
@@ -432,7 +615,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     token.credential = token
                         .credential
                         .into_iter()
-                        .filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
+                        .filter(|cred| !credentials.0.iter().any(|h| &h.to_string() == cred))
                         .collect();
                     dev.update_token(id, &token)?;
                 }
@@ -462,16 +645,64 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             }
         },
         Command::GenerateCompletions { shell, out_dir } => {
+            // zsh won't work atm https://github.com/clap-rs/clap/issues/1822
+            if let Some(s) = shell {
+                if s.as_str() == "zsh" {
+                    unimplemented!("zsh completions are broken atm: see https://github.com/clap-rs/clap/issues/1822")
+                }
+            }
+            for variant in Shell::variants().iter().filter(|v| *v != &"zsh") {
+                if let Some(s) = shell {
+                    if *variant != s.as_str() {
+                        break;
+                    }
+                }
                 Args::clap().gen_completions(
                     env!("CARGO_PKG_NAME"),
-                match shell.as_ref() {
+                    Shell::from_str(variant)
-                    "bash" => Shell::Bash,
+                        .expect("structopt shouldn't allow us to reach this point"),
-                    "fish" => Shell::Fish,
-                    _ => unreachable!("structopt shouldn't allow us to reach this point"),
-                },
                     &out_dir,
                 );
+            }
             Ok(())
         }
     }
 }
+
+#[cfg(test)]
+mod test {
+
+    use super::*;
+
+    #[test]
+    fn test_read_password_pin_prefixed() {
+        // 1234:test -> PIN: 1234, password: test
+        assert_eq!(
+            read_password_pin_prefixed(|| Ok("1234:test".into())).unwrap(),
+            (Some("1234".to_string()), util::sha256(&["test".as_bytes()]))
+        );
+        // :test -> PIN: None, password: test
+        assert_eq!(
+            read_password_pin_prefixed(|| Ok(":test".into())).unwrap(),
+            (None, util::sha256(&["test".as_bytes()]))
+        );
+        // 1234::test -> PIN: 1234, password: :test
+        assert_eq!(
+            read_password_pin_prefixed(|| Ok("1234::test".into())).unwrap(),
+            (
+                Some("1234".to_string()),
+                util::sha256(&[":test".as_bytes()])
+            )
+        );
+        // 1234 -> PIN: 1234, password: empty
+        assert_eq!(
+            read_password_pin_prefixed(|| Ok("1234".into())).unwrap(),
+            (Some("1234".to_string()), util::sha256(&["".as_bytes()]))
+        );
+        // 1234:test -> PIN: None, password: test
+        assert_eq!(
+            read_password_pin_prefixed(|| Ok(":test".into())).unwrap(),
+            (None, util::sha256(&["test".as_bytes()]))
+        );
+    }
+}

src/cli_args/config.rs

@@ -7,6 +7,7 @@ use std::fs::File;
 use std::io::Read;
 use std::path::PathBuf;
 use std::process::Command;
+use std::process::Stdio;
 use std::str::FromStr;
 
 #[derive(Debug, Clone, PartialEq)]
@@ -55,11 +56,17 @@ impl fmt::Display for SecretInput {
 }
 
 impl SecretInput {
-    pub fn obtain_string(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<String> {
+    pub fn obtain_string(
+        &self,
+        password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
+    ) -> Fido2LuksResult<String> {
         Ok(String::from_utf8(self.obtain(password_helper)?)?)
     }
 
-    pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<Vec<u8>> {
+    pub fn obtain(
+        &self,
+        password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
+    ) -> Fido2LuksResult<Vec<u8>> {
         let mut secret = Vec::new();
         match self {
             SecretInput::File { path } => {
@@ -67,16 +74,22 @@ impl SecretInput {
                 let mut do_io = || File::open(path)?.read_to_end(&mut secret);
                 do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
             }
-            SecretInput::AskPassword => {
+            SecretInput::AskPassword => secret.extend_from_slice(
-                secret.extend_from_slice(password_helper.obtain()?.as_bytes())
+                password_helper.ok_or_else(|| Fido2LuksError::AskPassError {
-            }
+                    cause: AskPassError::FailedHelper,
+                })?()?
+                .as_bytes(),
+            ),
 
             SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
         }
         Ok(secret)
     }
 
-    pub fn obtain_sha256(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
+    pub fn obtain_sha256(
+        &self,
+        password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
+    ) -> Fido2LuksResult<[u8; 32]> {
         let mut digest = digest::Context::new(&digest::SHA256);
         match self {
             SecretInput::File { path } => {
@@ -151,11 +164,13 @@ impl PasswordHelper {
         use PasswordHelper::*;
         match self {
             Systemd => unimplemented!(),
-            Stdin => Ok(util::read_password("Password", true)?),
+            Stdin => Ok(util::read_password("Password", true, false)?),
             Script(password_helper) => {
                 let password = Command::new("sh")
                     .arg("-c")
                     .arg(&password_helper)
+                    .stdin(Stdio::inherit())
+                    .stderr(Stdio::inherit())
                     .output()
                     .map_err(|e| Fido2LuksError::AskPassError {
                         cause: error::AskPassError::IO(e),
@@ -198,7 +213,7 @@ mod test {
     fn input_salt_obtain() {
         assert_eq!(
             SecretInput::String("abc".into())
-                .obtain_sha256(&PasswordHelper::Stdin)
+                .obtain_sha256(Some(|| Ok("123456".to_string())))
                 .unwrap(),
             [
                 186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,

src/cli_args/mod.rs

@@ -1,7 +1,8 @@
 use std::fmt::{Display, Error, Formatter};
+use std::hash::{Hash, Hasher};
 use std::path::PathBuf;
 use std::str::FromStr;
-use structopt::clap::AppSettings;
+use structopt::clap::{AppSettings, Shell};
 use structopt::StructOpt;
 
 mod config;
@@ -31,6 +32,12 @@ impl FromStr for HexEncoded {
     }
 }
 
+impl Hash for HexEncoded {
+    fn hash<H: Hasher>(&self, state: &mut H) {
+        self.0.hash(state)
+    }
+}
+
 #[derive(Debug, Eq, PartialEq, Clone)]
 pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
 
@@ -58,19 +65,24 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
 #[derive(Debug, StructOpt)]
 pub struct Credentials {
     /// FIDO credential ids, separated by ',' generate using fido2luks credential
-    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
+    #[structopt(
-    pub ids: CommaSeparated<HexEncoded>,
+        name = "credential-ids",
+        env = "FIDO2LUKS_CREDENTIAL_ID",
+        short = "c",
+        long = "creds"
+    )]
+    pub ids: Option<CommaSeparated<HexEncoded>>,
 }
 
 #[derive(Debug, StructOpt)]
 pub struct AuthenticatorParameters {
-    /// Request a PIN to unlock the authenticator
+    /// Request a PIN to unlock the authenticator if required
     #[structopt(short = "P", long = "pin")]
     pub pin: bool,
 
-    /// Location to read PIN from
+    /// Request PIN and password combined `pin:password` when using an password helper
-    #[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
+    #[structopt(long = "pin-prefixed")]
-    pub pin_source: Option<PathBuf>,
+    pub pin_prefixed: bool,
 
     /// Await for an authenticator to be connected, timeout after n seconds
     #[structopt(
@@ -90,13 +102,20 @@ pub struct LuksParameters {
     /// Try to unlock the device using a specifc keyslot, ignore all other slots
     #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
     pub slot: Option<u32>,
+
+    /// Disable implicit use of LUKS2 tokens
+    #[structopt(
+        long = "disable-token",
+    //  env = "FIDO2LUKS_DISABLE_TOKEN" // unfortunately clap will convert flags into args if they have an env attribute
+    )]
+    pub disable_token: bool,
 }
 
 #[derive(Debug, StructOpt, Clone)]
 pub struct LuksModParameters {
     /// Number of milliseconds required to derive the volume decryption key
     /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
-    #[structopt(long = "kdf-time", name = "kdf-time")]
+    #[structopt(long = "kdf-time", name = "kdf-time", env = "FIDO2LUKS_KDF_TIME")]
     pub kdf_time: Option<u64>,
 }
 
@@ -119,15 +138,17 @@ pub struct SecretParameters {
     #[structopt(
         name = "password-helper",
         env = "FIDO2LUKS_PASSWORD_HELPER",
-        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+        long = "password-helper"
     )]
-    pub password_helper: PasswordHelper,
+    pub password_helper: Option<PasswordHelper>,
 }
 #[derive(Debug, StructOpt)]
 pub struct Args {
     /// Request passwords via Stdin instead of using the password helper
     #[structopt(short = "i", long = "interactive")]
     pub interactive: bool,
+    #[structopt(short = "v", long = "verbose")]
+    pub verbose: bool,
     #[structopt(subcommand)]
     pub command: Command,
 }
@@ -138,7 +159,7 @@ pub struct OtherSecret {
     #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
     pub keyfile: Option<PathBuf>,
     /// Use another fido device instead of a password
-    /// Note: this requires for the credential fot the other device to be passed as argument as well
+    /// Note: this requires for the credential for the other device to be passed as argument as well
     #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
     pub fido_device: bool,
 }
@@ -147,8 +168,9 @@ pub struct OtherSecret {
 pub enum Command {
     #[structopt(name = "print-secret")]
     PrintSecret {
+        // version 0.3.0 will store use the lower case ascii encoded hex string making binary output unnecessary
         /// Prints the secret as binary instead of hex encoded
-        #[structopt(short = "b", long = "bin")]
+        #[structopt(hidden = true, short = "b", long = "bin")]
         binary: bool,
         #[structopt(flatten)]
         credentials: Credentials,
@@ -156,6 +178,9 @@ pub enum Command {
         authenticator: AuthenticatorParameters,
         #[structopt(flatten)]
         secret: SecretParameters,
+        /// Load credentials from LUKS header
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: Option<PathBuf>,
     },
     /// Adds a generated key to the specified LUKS device
     #[structopt(name = "add-key")]
@@ -171,9 +196,9 @@ pub enum Command {
         /// Will wipe all other keys
         #[structopt(short = "e", long = "exclusive")]
         exclusive: bool,
-        /// Will add an token to your LUKS 2 header, including the credential id
+        /// Will generate an credential while adding a new key to this LUKS device if supported
-        #[structopt(short = "t", long = "token")]
+        #[structopt(short = "g", long = "gen-cred")]
-        token: bool,
+        generate_credential: bool,
         #[structopt(flatten)]
         existing_secret: OtherSecret,
         #[structopt(flatten)]
@@ -193,16 +218,16 @@ pub enum Command {
         /// Add the password and keep the key
         #[structopt(short = "a", long = "add-password")]
         add_password: bool,
-        /// Will add an token to your LUKS 2 header, including the credential id
+        /// Remove the affected credential from LUKS header
-        #[structopt(short = "t", long = "token")]
+        #[structopt(short = "r", long = "remove-cred")]
-        token: bool,
+        remove_cred: bool,
         #[structopt(flatten)]
         replacement: OtherSecret,
         #[structopt(flatten)]
         luks_mod: LuksModParameters,
     },
     /// Open the LUKS device
-    #[structopt(name = "open")]
+    #[structopt(name = "open", alias = "open-token")]
     Open {
         #[structopt(flatten)]
         luks: LuksParameters,
@@ -216,20 +241,9 @@ pub enum Command {
         secret: SecretParameters,
         #[structopt(short = "r", long = "max-retries", default_value = "0")]
         retries: i32,
-    },
+        /// Perform the whole procedure without mounting the LUKS volume on success
-    /// Open the LUKS device using credentials embedded in the LUKS 2 header
+        #[structopt(long = "dry-run")]
-    #[structopt(name = "open-token")]
+        dry_run: bool,
-    OpenToken {
-        #[structopt(flatten)]
-        luks: LuksParameters,
-        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
-        name: String,
-        #[structopt(flatten)]
-        authenticator: AuthenticatorParameters,
-        #[structopt(flatten)]
-        secret: SecretParameters,
-        #[structopt(short = "r", long = "max-retries", default_value = "0")]
-        retries: i32,
     },
     /// Generate a new FIDO credential
     #[structopt(name = "credential")]
@@ -245,11 +259,12 @@ pub enum Command {
     Connected,
     Token(TokenCommand),
     /// Generate bash completion scripts
+    /// Example: fido2luks completions --shell bash /usr/share/bash-completion/completions
     #[structopt(name = "completions", setting = AppSettings::Hidden)]
     GenerateCompletions {
-        /// Shell to generate completions for: bash, fish
+        /// Shell to generate completions for
-        #[structopt(possible_values = &["bash", "fish"])]
+        #[structopt(short = "s", long = "shell",possible_values = &Shell::variants()[..])]
-        shell: String,
+        shell: Option<String>,
         out_dir: PathBuf,
     },
 }
@@ -269,8 +284,14 @@ pub enum TokenCommand {
     Add {
         #[structopt(env = "FIDO2LUKS_DEVICE")]
         device: PathBuf,
-        #[structopt(flatten)]
+        /// FIDO credential ids, separated by ',' generate using fido2luks credential
-        credentials: Credentials,
+        #[structopt(
+            name = "credential-ids",
+            env = "FIDO2LUKS_CREDENTIAL_ID",
+            short = "c",
+            long = "creds"
+        )]
+        credentials: CommaSeparated<HexEncoded>,
         /// Slot to which the credentials will be added
         #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
         slot: u32,
@@ -279,8 +300,14 @@ pub enum TokenCommand {
     Remove {
         #[structopt(env = "FIDO2LUKS_DEVICE")]
         device: PathBuf,
-        #[structopt(flatten)]
+        /// FIDO credential ids, separated by ',' generate using fido2luks credential
-        credentials: Credentials,
+        #[structopt(
+            name = "credential-ids",
+            env = "FIDO2LUKS_CREDENTIAL_ID",
+            short = "c",
+            long = "creds"
+        )]
+        credentials: CommaSeparated<HexEncoded>,
         /// Token from which the credentials will be removed
         #[structopt(long = "token")]
         token_id: Option<u32>,

src/device.rs

@@ -19,7 +19,7 @@ pub fn make_credential_id(
     }
     let request = request.build().unwrap();
     let make_credential = |device: &mut FidoDevice| {
-        if let Some(pin) = pin {
+        if let Some(pin) = pin.filter(|_| device.needs_pin()) {
             device.unlock(pin)?;
         }
         device.make_hmac_credential(&request)
@@ -44,7 +44,7 @@ pub fn perform_challenge<'a>(
         .build()
         .unwrap();
     let get_assertion = |device: &mut FidoDevice| {
-        if let Some(pin) = pin {
+        if let Some(pin) = pin.filter(|_| device.needs_pin()) {
             device.unlock(pin)?;
         }
         device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
@@ -58,6 +58,17 @@ pub fn perform_challenge<'a>(
     Ok((secret, credential))
 }
 
+pub fn may_require_pin() -> Fido2LuksResult<bool> {
+    for di in ctap::get_devices()? {
+        if let Ok(dev) = FidoDevice::new(&di) {
+            if dev.needs_pin() {
+                return Ok(true);
+            }
+        }
+    }
+    Ok(false)
+}
+
 pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
     let mut devices = Vec::with_capacity(2);
     for di in ctap::get_devices()? {

src/error.rs

@@ -29,6 +29,10 @@ pub enum Fido2LuksError {
     WrongSecret,
     #[fail(display = "not an utf8 string")]
     StringEncodingError { cause: FromUtf8Error },
+    #[fail(display = "not an hex string: {}", string)]
+    HexEncodingError { string: String },
+    #[fail(display = "couldn't obtain at least one credential")]
+    InsufficientCredentials,
 }
 
 impl Fido2LuksError {
@@ -50,6 +54,8 @@ pub enum AskPassError {
     IO(io::Error),
     #[fail(display = "provided passwords don't match")]
     Mismatch,
+    #[fail(display = "failed to call password helper")]
+    FailedHelper,
 }
 
 #[derive(Debug, Fail)]

src/luks.rs

@@ -111,6 +111,20 @@ impl LuksDevice {
         Ok(())
     }
 
+    pub fn remove_token_slot(&mut self, slot: u32) -> Fido2LuksResult<()> {
+        let mut remove = HashSet::new();
+        for token in self.tokens()? {
+            let (id, token) = token?;
+            if token.keyslots.contains(&slot.to_string()) {
+                remove.insert(id);
+            }
+        }
+        for rm in remove {
+            self.remove_token(rm)?;
+        }
+        Ok(())
+    }
+
     pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
         self.require_luks2()?;
         self.device
@@ -192,7 +206,9 @@ impl LuksDevice {
             old_secret,
             CryptActivateFlags::empty(),
         )?;
-        self.device.keyslot_handle().change_by_passphrase(
+
+        // slot should stay the same but better be safe than sorry
+        let slot = self.device.keyslot_handle().change_by_passphrase(
             Some(slot),
             Some(slot),
             old_secret,
@@ -221,10 +237,16 @@ impl LuksDevice {
         name: &str,
         secret: &[u8],
         slot_hint: Option<u32>,
+        dry_run: bool,
     ) -> Fido2LuksResult<u32> {
         self.device
             .activate_handle()
-            .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
+            .activate_by_passphrase(
+                Some(name).filter(|_| !dry_run),
+                slot_hint,
+                secret,
+                CryptActivateFlags::empty(),
+            )
             .map_err(LuksError::activate)
     }
 
@@ -233,6 +255,7 @@ impl LuksDevice {
         name: &str,
         secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
         slot_hint: Option<u32>,
+        dry_run: bool,
     ) -> Fido2LuksResult<u32> {
         if !self.is_luks2()? {
             return Err(LuksError::Luks2Required.into());
@@ -276,7 +299,7 @@ impl LuksDevice {
                 .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
         );
         for slot in slots {
-            match self.activate(name, &secret, slot) {
+            match self.activate(name, &secret, slot, dry_run) {
                 Err(Fido2LuksError::WrongSecret) => (),
                 res => return res,
             }

src/util.rs

@@ -13,9 +13,17 @@ pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
     secret.as_mut().copy_from_slice(digest.finish().as_ref());
     secret
 }
-
+pub fn read_password_tty(q: &str, verify: bool) -> Fido2LuksResult<String> {
-pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
+    read_password(q, verify, true)
-    match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
+}
+pub fn read_password(q: &str, verify: bool, tty: bool) -> Fido2LuksResult<String> {
+    let res = if tty {
+        rpassword::read_password_from_tty(Some(&[q, ": "].join("")))
+    } else {
+        print!("{}: ", q);
+        rpassword::read_password()
+    }?;
+    match res {
         ref pass
             if verify
                 && &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))?
@@ -29,10 +37,6 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
     }
 }
 
-pub fn read_password_hashed(q: &str, verify: bool) -> Fido2LuksResult<[u8; 32]> {
-    read_password(q, verify).map(|pass| sha256(&[pass.as_bytes()]))
-}
-
 pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
     let mut file = File::open(path.into())?;
     let mut key = Vec::new();