add flag to print credentials as csv

.drone.yml

@@ -3,32 +3,32 @@ name: default
 
 steps:
  - name: fmt
-   image: rust:1.43.0
+   image: rust:1.37.0
    commands:
      -  rustup component add rustfmt
      -  cargo fmt --all -- --check
- - name: readme
-   image: msrd0/cargo-readme@sha256:2b916451e576cda54f1e02703fa092b9d5af95bcf48426a1ef42872a19467fd3
-   commands:
-     - cargo readme > ~README.md
-     - cmp -s README.md ~README.md || (printf "README.md need to be updated:\n"; cat ~README.md; exit 1)
  - name: test
-   image: rust:1.43.0
+   image: rust:1.37.0
    commands:
-    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
+    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
-    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
     - cargo test
- - name: publish
+
-   image: rust:1.43.0
+ - name: build
-   environment:
+   image: rust:1.37.0
-    CARGO_REGISTRY_TOKEN:
-     from_secret: cargo_tkn
    commands:
-    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
+    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
-    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
+    - cargo install -f --path . --root .
-    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
+   when:
-    - cargo package --all-features
+    event: tag
-    - cargo publish --all-features
+ - name: publish
+   image: plugins/github-release
+   settings:
+     api_key:
+      from_secret: github_release
+     files:
+      - bin/fido2luks
+     checksum:
+      - md5
+      - sha256
    when:
     event: tag    
-   depends_on: ["fmt", "test", "readme"]

Cargo.toml

@@ -11,7 +11,7 @@ repository = "https://github.com/shimunn/fido2luks"
 readme = "README.md"
 keywords = ["luks", "fido2", "u2f"]
 categories = ["command-line-utilities"]
-license = "MPL 2.0"
+license-file = "LICENSE"
 
 [dependencies]
 ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
@@ -31,14 +31,3 @@ opt-level = 'z'
 panic = 'abort'
 incremental = false
 overflow-checks = false
-
-[package.metadata.deb]
-depends = "$auto, cryptsetup"
-build-depends = "libclang-dev, libcryptsetup-dev"
-extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
-assets = [
-    ["target/release/fido2luks", "usr/bin/", "755"],
-    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
-    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
-    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
-]

README.md

@@ -1,75 +1,86 @@
-[![Crates.io](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
+# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
-# fido2luks
 
 This will allow you to unlock your luks encrypted disk with an fido2 compatible key
 
-Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
 
-### Setup
+## Setup
 
-#### Prerequisites
+### Prerequisites
 
-```rust
+```
 dnf install clang cargo cryptsetup-devel -y
 ```
 
-#### Device
+### Device
 
-```rust
+```
 git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
 
+# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
 sudo -E cargo install -f --path . --root /usr
 
+# Copy template
 cp dracut/96luks-2fa/fido2luks.conf /etc/
+# Name is optional but useful if your authenticator has a display
 echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
 
+# Load config into env
 set -a
 . /etc/fido2luks.conf
 
+# Repeat for each luks volume
+# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
+# enabling you to use `fido2luks open-token` without passing a credential as parameter
 sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 
+# Test(only works if the luks container isn't active)
 sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
 
 ```
 
-#### Dracut
+### Dracut
 
-```rust
+```
 cd dracut
 
 sudo make install
 ```
 
-#### Grub
+### Grub
 
 Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
 
 Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
 
-```rust
+```
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 
 I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
 
-```rust
+```
 mkdir /boot/fido2luks/
 cp /usr/bin/fido2luks /boot/fido2luks/
 cp /etc/fido2luks.conf /boot/fido2luks/
 ```
 
-### Test
+## Test
 
 Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
 
-```rust
+```
+# Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
+# There is no turning back if you mess this up, make sure you made a backup
+# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
+# which will enable you to use `fido2luks open-token` without passing a credential as parameter
 fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 ```
 
-### Addtional settings
+## Addtional settings
 
-#### Password less
+### Password less
 
 Remove your previous secret as described in the next section, in case you've already added one.
 
@@ -78,32 +89,21 @@ but be warned that this password will be included to into your initramfs.
 
 Import the new config into env:
 
-```rust
+```
 set -a
 . /etc/fido2luks.conf
 ```
 
 Then add the new secret to each device and update dracut afterwards `dracut -f`
 
-### Removal
+## Removal
 
 Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
 
-```rust
+```
 set -a
 . fido2luks.conf
 sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
-
-## License
-
-Licensed under the Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE) or https://www.mozilla.org/en-US/MPL/2.0/)
-
-### Contribution
-
-Unless you explicitly state otherwise, any contribution intentionally
-submitted for inclusion in the work by you, as defined in the MPL 2.0
-license, shall be dual licensed as above, without any additional terms or
-conditions.

README.tpl

@@ -1,15 +0,0 @@
-[![Crates.io](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
-# {{crate}}
-
-{{readme}}
-
-## License
-
-Licensed under the Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE) or https://www.mozilla.org/en-US/MPL/2.0/)
-
-### Contribution
-
-Unless you explicitly state otherwise, any contribution intentionally
-submitted for inclusion in the work by you, as defined in the MPL 2.0
-license, shall be dual licensed as above, without any additional terms or
-conditions.

initramfs-tools/Makefile

@@ -1,11 +0,0 @@
-.PHONY: install
-install:
-	chmod +x hook/fido2luks.sh keyscript.sh
-	cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
-	mkdir -p /usr/share/fido2luks
-	cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
-	update-initramfs -u
-remove:
-	sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
-	rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
-	update-initramfs -u

initramfs-tools/README.md

@@ -1,13 +0,0 @@
-## Initramfs-tools based systems(Ubuntu and derivatives)
-
-After installation generate your credentials and add keys to your disk as described in the top-level README
-then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
-
-Example:
-```
-sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
-```
-
-But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
-
-[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)

initramfs-tools/fido2luks.conf

@@ -1,3 +0,0 @@
-FIDO2LUKS_SALT=Ask
-#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
-FIDO2LUKS_CREDENTIAL_ID=

initramfs-tools/hook/fido2luks.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-case "$1" in
-prereqs)
-	echo ""
-	exit 0
-	;;
-
-esac
-
-. /usr/share/initramfs-tools/hook-functions
-copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
-copy_exec /usr/bin/fido2luks
-exit 0

initramfs-tools/keyscript.sh

@@ -1,9 +0,0 @@
-#!/bin/sh
-set -a
-. /etc/fido2luks.conf
-
-if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
-	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt 'FIDO2 password salt for $CRYPTTAB_NAME'"
-fi
-
-fido2luks print-secret --bin

src/cli.rs

@@ -1,54 +1,3 @@
-//! ## Command line interface
-//! ### Generating a credential
-//! Credentials can be generated by using `fido2luks credential`
-//! this command will take an optional string as username your authenticator might be able to display
-//!
-//! `fido2luks credential 'My 2FA protected disk'`
-//!
-//! It is advisable to repeat this step and the next step for more than one authenticator, as backup
-//! ### Securing a disk
-//! To utilise the previously generated credential you simply run
-//!
-//! `fido2luks -i add-key <device> [<credential>,..]`
-//!
-//! You can also use `fido2luks -i add-key --exclusive <device> [<credential>,..]`
-//!
-//! which will add a new key and then remove ALL other keys.
-//! This command supports a fair amount of options for instance `--keyfile` which will allow you to
-//! add an authenticator to the `<device>`
-//!
-//! `-f` will utilise an previously added fido protected key to add another one
-//!
-//! `--token` will store the credential within the LUKS header, making it easily accessible even if
-//! you're unable to boot your system.
-//!
-//!
-//! `fido2luks -i replace-key <device> [<credential>,..]`
-//! works in a similar fashion but instead of adding a new key it'll update an existing one
-//!
-//!
-//! ### Unlocking a disk
-//! To open an LUKS container using your authenticator you simply run
-//!
-//! `fido2luks -i open <device> <name> [<credential>,..]`
-//!
-//! if successful your LUKS container will be accessible under `/dev/mapper/<name>`
-//! To avoid having to specify your credentials you may want to to use
-//!
-//! `fido2luks -i open-token <device> <name>`
-//!
-//! which should even be faster since it allows for the credential to be matched to the right keyslot
-//!
-//!
-//! ### Common options
-//!
-//! `--salt` Determines what data will be provided to the authenticator in order to derive the secret, the default being `ask` which will prompt the user for an password.
-//! Alternatives being `file:<PATH>` where the specified file will be hashed and then used as input, the same goes for the `string:<STRING>` option which will behave in the same manner as the `ask` option.
-//!
-//! `--pin` Allows for a PIN to be passed to the authenticator if needed, it is however recommended not to use a PIN since the bootscript doesn't support this feature atm.
-//!
-//! `--help` Will provide context dependant help for each command
-
 use crate::error::*;
 use crate::*;
 

src/luks.rs

@@ -11,7 +11,7 @@ pub struct LuksDevice {
     device: CryptDevice,
     luks2: Option<bool>,
 }
-/// Wrapper around [CryptDevice](libcryptsetup_rs::CryptDevice)
+
 impl LuksDevice {
     pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
         let mut device = CryptInit::init(path.as_ref())?;
@@ -22,7 +22,6 @@ impl LuksDevice {
         })
     }
 
-    /// Check whether the device supports LUKS2
     pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
         if let Some(luks2) = self.luks2 {
             Ok(luks2)
@@ -35,7 +34,6 @@ impl LuksDevice {
         }
     }
 
-    /// Check whether the device supports LUKS2, return an appropriate error if it does not
     fn require_luks2(&mut self) -> Fido2LuksResult<()> {
         if !self.is_luks2()? {
             return Err(LuksError::Luks2Required.into());
@@ -43,7 +41,6 @@ impl LuksDevice {
         Ok(())
     }
 
-    /// Returns an iterator over all tokens, of type fido2luks
     pub fn tokens<'a>(
         &'a mut self,
     ) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
@@ -87,7 +84,6 @@ impl LuksDevice {
         ))
     }
 
-    /// Returns the first token with an reference to the specified keyslot
     pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
         let slot_str = slot.to_string();
         for token in self.tokens()? {
@@ -126,8 +122,6 @@ impl LuksDevice {
         Ok(())
     }
 
-    /// Add a new key `secret` using `old_secret` with the specified `iteration_time` in milliseconds
-    /// an LUKS2 token will be created if the device supports LUKS2 and a `credential_id` is provided
     pub fn add_key(
         &mut self,
         secret: &[u8],
@@ -181,8 +175,6 @@ impl LuksDevice {
         Ok(destroyed)
     }
 
-    /// Replaces an existing key with `secret` using `old_secret` with the specified `iteration_time` in milliseconds
-    /// an LUKS2 token will be created or updated if the device supports LUKS2 and a `credential_id` is provided
     pub fn replace_key(
         &mut self,
         secret: &[u8],
@@ -293,7 +285,6 @@ impl LuksDevice {
     }
 }
 
-/// Represents a LUKS2 token
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Fido2LuksToken {
     #[serde(rename = "type")]

src/main.rs

@@ -1,111 +1,3 @@
-//! This will allow you to unlock your luks encrypted disk with an fido2 compatible key
-//!
-//! Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
-//!
-//! ## Setup
-//!
-//! ### Prerequisites
-//!
-//! ```
-//! dnf install clang cargo cryptsetup-devel -y
-//! ```
-//!
-//! ### Device
-//!
-//! ```
-//! git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
-//!
-//! # Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
-//! sudo -E cargo install -f --path . --root /usr
-//!
-//! # Copy template
-//! cp dracut/96luks-2fa/fido2luks.conf /etc/
-//! # Name is optional but useful if your authenticator has a display
-//! echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
-//!
-//! # Load config into env
-//! set -a
-//! . /etc/fido2luks.conf
-//!
-//! # Repeat for each luks volume
-//! # You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
-//! # enabling you to use `fido2luks open-token` without passing a credential as parameter
-//! sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
-//!
-//! # Test(only works if the luks container isn't active)
-//! sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
-//!
-//! ```
-//!
-//! ### Dracut
-//!
-//! ```
-//! cd dracut
-//!
-//! sudo make install
-//! ```
-//!
-//! ### Grub
-//!
-//! Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
-//!
-//! Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
-//!
-//! ```
-//! grub2-mkconfig > /boot/grub2/grub.cfg
-//! ```
-//!
-//! I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
-//!
-//! ```
-//! mkdir /boot/fido2luks/
-//! cp /usr/bin/fido2luks /boot/fido2luks/
-//! cp /etc/fido2luks.conf /boot/fido2luks/
-//! ```
-//!
-//! ## Test
-//!
-//! Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
-//!
-//! ```
-//! # Recommend in case you lose your authenticator, store this backupfile somewhere safe
-//! cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
-//! # There is no turning back if you mess this up, make sure you made a backup
-//! # You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
-//! # which will enable you to use `fido2luks open-token` without passing a credential as parameter
-//! fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
-//! ```
-//!
-//! ## Addtional settings
-//!
-//! ### Password less
-//!
-//! Remove your previous secret as described in the next section, in case you've already added one.
-//!
-//! Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
-//! but be warned that this password will be included to into your initramfs.
-//!
-//! Import the new config into env:
-//!
-//! ```
-//! set -a
-//! . /etc/fido2luks.conf
-//! ```
-//!
-//! Then add the new secret to each device and update dracut afterwards `dracut -f`
-//!
-//! ## Removal
-//!
-//! Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
-//!
-//! ```
-//! set -a
-//! . fido2luks.conf
-//! sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
-//!
-//! sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
-//!```
-
 #[macro_use]
 extern crate failure;
 extern crate ctap_hmac as ctap;