shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:relicense
Branches Tags
shimun:master
shimun:0.3.0-alpha
shimun:ctap-hid-fido2
shimun:retry_pin
shimun:0.3.0
shimun:debVM
shimun:flake
shimun:password_promt
shimun:dracut
shimun:initcpio
shimun:pam_mod
shimun:setup
shimun:completions
shimun:pkgbuild
shimun:pin_source
shimun:relicense
shimun:deb
shimun:initramfs-tools
shimun:luks_refr
shimun:0.2.8
shimun:luks2_token
shimun:cli_reorg
shimun:request_multiple
shimun:luks2
shimun:cratesio
shimun:isalt
shimun:connected
shimun:keyutils
shimun:0.2.20
shimun:0.2.19
shimun:0.2.18
shimun:0.2.17
shimun:0.2.16
shimun:0.2.15
shimun:0.2.14
shimun:0.2.13
shimun:0.2.12
shimun:0.2.11
shimun:0.2.10
shimun:0.2.9
shimun:0.2.8
shimun:0.2.7
shimun:0.2.6
shimun:0.2.5
shimun:0.2.4
shimun:0.2.3
shimun:0.2.2
shimun:0.2.1
shimun:0.2.0
..
compare: shimun:master
Branches Tags
shimun:0.3.0-alpha
shimun:ctap-hid-fido2
shimun:retry_pin
shimun:master
shimun:0.3.0
shimun:debVM
shimun:flake
shimun:password_promt
shimun:dracut
shimun:initcpio
shimun:pam_mod
shimun:setup
shimun:completions
shimun:pkgbuild
shimun:pin_source
shimun:relicense
shimun:deb
shimun:initramfs-tools
shimun:luks_refr
shimun:0.2.8
shimun:luks2_token
shimun:cli_reorg
shimun:request_multiple
shimun:luks2
shimun:cratesio
shimun:isalt
shimun:connected
shimun:keyutils
shimun:0.2.20
shimun:0.2.19
shimun:0.2.18
shimun:0.2.17
shimun:0.2.16
shimun:0.2.15
shimun:0.2.14
shimun:0.2.13
shimun:0.2.12
shimun:0.2.11
shimun:0.2.10
shimun:0.2.9
shimun:0.2.8
shimun:0.2.7
shimun:0.2.6
shimun:0.2.5
shimun:0.2.4
shimun:0.2.3
shimun:0.2.2
shimun:0.2.1
shimun:0.2.0

36 Commits
relicense ... master

Author SHA1 Message Date
shimun
210da1ce0f
added --allow-discards flag 2021-12-28 13:35:34 +01:00
shimun
4509cacd6d
update deps 2021-12-28 13:32:29 +01:00
cbachert
67136f2405
Add Ubuntu fallback to passphrase, add defaults (#35) 
Co-authored-by: cbachert <1316659-cbachert@users.noreply.gitlab.com>
 2021-09-11 16:33:14 +02:00
shimun
b2e4950db5
update ctap_hmac 2021-07-26 18:46:10 +02:00
shimun
5496c4e61b
always set credential name 2021-07-14 15:47:23 +02:00
shimun
51fa26b7d5
bump version 2021-07-14 12:24:58 +02:00
Vyacheslav Konovalov
a3696962e8
Support for initcpio (#31) 
* Add initcpio hook and install script

* Make PIN optional

* Add README for initcpio

* Fix PKGBUILD, add install of initcpio

* Fix README for initcpio
 2021-07-14 12:23:32 +02:00
shimunn
7e6b33ae7f
Theory of operation (#30)
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-02-28 12:56:57 +01:00
shimun
b3495c45f3
add nix flake 2021-02-08 16:06:56 +01:00
shimunn
17ca487b85
Obvious password promt (#29) 
* obvious password promt

* prompt interaction with FIDO device
 2021-02-08 15:58:41 +01:00
shimun
b0404f2fc1
minimum YubiKey firmware version
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-11-17 13:05:45 +01:00
shimunn
de21e3ef8d
Merge pull request #21 from aacebedo/master 
Added an helper script to be used with pam_mount
 2020-11-01 21:18:13 +01:00
Alexandre ACEBEDO
8a7b3addbb Added an helper script to be used with pam_mount 2020-11-01 18:21:04 +01:00
shimun
e7e44cd61b
fix test
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-10-13 14:17:22 +02:00
shimun
0ec859f4a6
remove trailing newline from pin
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-25 12:40:34 +02:00
shimun
55bae4161e
add credentials situated in the luks header to credential list
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-19 18:23:21 +02:00
shimun
086c1a0594
file path must be relative to src
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-05 19:35:36 +02:00
shimun
c2e38eb06f
generate shell completions during build
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/tag Build is failing
Details
2020-09-05 18:52:07 +02:00
shimun
03ef5721e0
bump version
All checks were successful
continuous-integration/drone/tag Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2020-09-03 14:56:36 +02:00
shimun
008e644024
auto detect current version 2020-09-03 14:56:22 +02:00
shimun
e1f762ddc9
add subcommand to generate bash completions
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-09-03 14:45:52 +02:00
Saravanan Palanisamy
2266754a95
create PKGBUILD file for archlinux package (#17)
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details 
* create PKGBUILD file

* use build & install method

* add package dependencies
 2020-09-02 14:14:40 +02:00
shimun
8811cff6d1
0.2.12
All checks were successful
continuous-integration/drone/tag Build is passing
Details
2020-08-31 00:04:24 +02:00
shimun
99787b614c
Merge branch 'pin_source' into master
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-08-31 00:00:42 +02:00
shimun
ee28f87148
always print the full error message
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-08-30 17:09:57 +02:00
shimun
196356fe3b
structopt does not allow for flags to be linked to env atm 2020-08-25 21:47:25 +02:00
shimun
3ff7e698bd
add flag to read pin from alternate source
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-08-25 21:26:30 +02:00
shimun
04d0d60fb3
use ubuntu as base image
Some checks reported errors
continuous-integration/drone/tag Build is passing
Details
continuous-integration/drone/push Build was killed
Details
2020-08-16 15:30:20 +02:00
shimun
e64f777c54
use sh to run password helper 2020-08-16 13:42:54 +02:00
shimun
8465949b44
spell promPt correctly 2020-08-16 13:42:35 +02:00
shimunn
06bed03e7b
Merge pull request #13 from Andrew-Finn/master 
Added documentation and tweaked readme
 2020-08-14 12:40:02 +02:00
Andrew-Finn
36f82e7c3a Added and edited documentation 2020-08-14 11:36:25 +01:00
shimun
cd90564f60
protect fido2luks.conf from being overwritten
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/tag Build is failing
Details
2020-08-11 23:08:12 +02:00
shimun
0f6d79a7e4
get plymouth to display a message
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-08-11 22:41:21 +02:00
shimun
4136b1bfad
relicense to MPL
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-07-27 09:22:02 +02:00
shimun
81016a1a42
require MPL for new contributions
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-07-26 21:11:03 +02:00
25 changed files with 1496 additions and 809 deletions
Show Stats Expand all files Collapse all files

29
.drone.yml
View File

@ -5,30 +5,25 @@ steps:
- name: fmt
image: rust:1.43.0
commands:
- rustup component add rustfmt
- cargo fmt --all -- --check
- name: readme
image: msrd0/cargo-readme@sha256:2b916451e576cda54f1e02703fa092b9d5af95bcf48426a1ef42872a19467fd3
commands:
- cargo readme > ~README.md
- cmp -s README.md ~README.md || (printf "README.md need to be updated:\n"; cat ~README.md; exit 1)
- rustup component add rustfmt
- cargo fmt --all -- --check
- name: test
image: rust:1.43.0
commands:
- apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config
- echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
- cargo test
- name: publish
image: rust:1.43.0
image: ubuntu:focal
environment:
DEBIAN_FRONTEND: noninteractive
commands:
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo test --locked
- name: publish
image: ubuntu:focal
environment:
DEBIAN_FRONTEND: noninteractive
CARGO_REGISTRY_TOKEN:
from_secret: cargo_tkn
commands:
- grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
- apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config
- echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo package --all-features
- cargo publish --all-features
when:
event: tag
depends_on: ["fmt", "test", "readme"]

6
.gitignore vendored
View File

@ -2,3 +2,9 @@
**/*.rs.bk
.idea/
*.iml
fido2luks.bash
fido2luks.elv
fido2luks.fish
fido2luks.zsh
result
result-*

550
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

18
Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "fido2luks"
version = "0.2.9"
version = "0.2.20"
authors = ["shimunn <shimun@shimun.net>"]
edition = "2018"
@ -11,10 +11,10 @@ repository = "https://github.com/shimunn/fido2luks"
readme = "README.md"
keywords = ["luks", "fido2", "u2f"]
categories = ["command-line-utilities"]
license = "MPL 2.0"
license = "MPL-2.0"
[dependencies]
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2"
ring = "0.13.5"
failure = "0.1.5"
@ -25,6 +25,15 @@ serde_json = "1.0.51"
serde_derive = "1.0.106"
serde = "1.0.106"
[build-dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2"
ring = "0.13.5"
failure = "0.1.5"
rpassword = "4.0.1"
libcryptsetup-rs = "0.4.1"
structopt = "0.3.2"
[profile.release]
lto = true
opt-level = 'z'
@ -38,7 +47,10 @@ build-depends = "libclang-dev, libcryptsetup-dev"
extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
assets = [
["target/release/fido2luks", "usr/bin/", "755"],
["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
["initramfs-tools/fido2luks.conf", "etc/", "644"],
]
conf-files = ["/etc/fido2luks.conf"]

37
PKGBUILD Normal file
View File

@ -0,0 +1,37 @@
# Maintainer: shimunn <shimun@shimun.net>
pkgname=fido2luks-git
pkgver=0.2.16.7e6b33a
pkgrel=1
makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git')
depends=('cryptsetup')
arch=('i686' 'x86_64' 'armv6h' 'armv7h')
pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
url="https://github.com/shimunn/fido2luks"
license=('MPL-2.0')
source=('git+https://github.com/shimunn/fido2luks')
sha512sums=('SKIP')
pkgver() {
cd fido2luks
# Use tag version if possible otherwise concat project version and git ref
git describe --exact-match --tags HEAD 2>/dev/null ||
echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
}
build() {
cd fido2luks
cargo build --release --locked --all-features --target-dir=target
}
package() {
cd fido2luks
install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin"
install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks"
install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install"
install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d"
}

97
README.md
View File

@ -1,75 +1,86 @@
[![Crates.io](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
# fido2luks
# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
This will allow you to unlock your luks encrypted disk with an fido2 compatible key
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
### Setup
## Setup
#### Prerequisites
### Prerequisites
```rust
```
dnf install clang cargo cryptsetup-devel -y
```
#### Device
### Device
```rust
```
git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
sudo -E cargo install -f --path . --root /usr
# Copy template
cp dracut/96luks-2fa/fido2luks.conf /etc/
# Name is optional but useful if your authenticator has a display
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
# Load config into env
set -a
. /etc/fido2luks.conf
# Repeat for each luks volume
# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
# enabling you to use `fido2luks open-token` without passing a credential as parameter
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
# Test(only works if the luks container isn't active)
sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
```
#### Dracut
### Dracut
```rust
```
cd dracut
sudo make install
```
#### Grub
### Grub
Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
```rust
```
grub2-mkconfig > /boot/grub2/grub.cfg
```
I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
```rust
```
mkdir /boot/fido2luks/
cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/
```
### Test
## Testing
Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
```rust
```
# Recommend in case you lose your authenticator, store this backupfile somewhere safe
cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
# There is no turning back if you mess this up, make sure you made a backup
# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
# which will enable you to use `fido2luks open-token` without passing a credential as parameter
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
```
### Addtional settings
## Addtional settings
#### Password less
### Password less
Remove your previous secret as described in the next section, in case you've already added one.
@ -78,18 +89,25 @@ but be warned that this password will be included to into your initramfs.
Import the new config into env:
```rust
```
set -a
. /etc/fido2luks.conf
```
Then add the new secret to each device and update dracut afterwards `dracut -f`
### Removal
### Multiple keys
Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
```
FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
```
## Removal
Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
```rust
```
set -a
. fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
@ -97,13 +115,46 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
```
## Theory of operation
fido2luks builds on two basic building blocks, LUKS as an abstraction over linux disk encryption and and the FIDO2 extension [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension).
The `hmac-secret` extension allows for an secret to be dervied on the FIDO2 device from two inputs, the user supplied salt/password/keyfile and another secret contained within the FID2 device. The output of the `hmac-secret` function will then be used to decrypt the LUKS header which in turn is used to decrypt the disk.
```
+-------------------------------------------------------------------------------+
| |
| +-----------------------------------------+ |
| | FIDO2 device | |
| | | |
| | | |
+-------+--------+ +------+ | +---------------+ | | +------------------------+
| Salt/Password +-> |sha256+------------------------> | | | v | LUKS header |
+----------------+ +------+ | | | | | | +---------------+
| | | | +--------+ +------------------------+--------> |Disk master key|
| | sha256_hmac +---------> | sha256 +-------> | Keyslot 1 | +---------------+
+----------------+ | +----------+ | | | +--------+ +------------------------+
| FIDO credential+---------------> |Credential| +----> | | | | Keyslot 2 |
+----------------+ | |secret | | | | +------------------------+
| +----------+ +---------------+ |
| |
| |
+-----------------------------------------+
```
Since all these components build upon each other losing or damaging just one of them will render the disk undecryptable, it's threfore of paramount importance to backup the LUKS header and ideally set an backup password
or utilise more than one FIDO2 device. Each additional credential and password combination will require it's own LUKS keyslot since the credential secret is randomly generated for each new credential and will thus result
in a completly different secret.
## License
Licensed under the Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE) or https://www.mozilla.org/en-US/MPL/2.0/)
Licensed under
* Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
### Contribution
Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in the work by you, as defined in the MPL 2.0
license, shall be dual licensed as above, without any additional terms or
license, shall be licensed as above, without any additional terms or
conditions.

15
README.tpl
View File

@ -1,15 +0,0 @@
[![Crates.io](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
# {{crate}}
{{readme}}
## License
Licensed under the Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE) or https://www.mozilla.org/en-US/MPL/2.0/)
### Contribution
Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in the work by you, as defined in the MPL 2.0
license, shall be dual licensed as above, without any additional terms or
conditions.

24
build.rs Normal file
View File

@ -0,0 +1,24 @@
#![allow(warnings)]
#[macro_use]
extern crate failure;
extern crate ctap_hmac as ctap;
#[path = "src/cli_args/mod.rs"]
mod cli_args;
#[path = "src/error.rs"]
mod error;
#[path = "src/util.rs"]
mod util;
use cli_args::Args;
use std::env;
use std::str::FromStr;
use structopt::clap::Shell;
use structopt::StructOpt;
fn main() {
// generate completion scripts, zsh does panic for some reason
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
Args::clap().gen_completions(env!("CARGO_PKG_NAME"), Shell::from_str(shell).unwrap(), ".");
}
}

62
flake.lock generated Normal file
View File

@ -0,0 +1,62 @@
{
"nodes": {
"naersk": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1639947939,
"narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
"owner": "nmattia",
"repo": "naersk",
"rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
"type": "github"
},
"original": {
"owner": "nmattia",
"repo": "naersk",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1638109994,
"narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a284564b7f75ac4db73607db02076e8da9d42c9d",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"root": {
"inputs": {
"naersk": "naersk",
"nixpkgs": "nixpkgs",
"utils": "utils"
}
},
"utils": {
"locked": {
"lastModified": 1638122382,
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

61
flake.nix Normal file
View File

@ -0,0 +1,61 @@
{
description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
inputs = {
utils.url = "github:numtide/flake-utils";
naersk = {
url = "github:nmattia/naersk";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, utils, naersk }:
let
root = ./.;
pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
forPkgs = pkgs:
let
naersk-lib = naersk.lib."${pkgs.system}";
buildInputs = with pkgs; [ cryptsetup ];
LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
nativeBuildInputs = with pkgs; [
pkgconfig
clang
];
in
rec {
# `nix build`
packages.${pname} = naersk-lib.buildPackage {
inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
};
defaultPackage = packages.${pname};
# `nix run`
apps.${pname} = utils.lib.mkApp {
drv = packages.${pname};
};
defaultApp = apps.${pname};
# `nix flake check`
checks = {
fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
cd ${root}
cargo fmt -- --check
nixpkgs-fmt --check *.nix
touch $out
'';
};
# `nix develop`
devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
inherit buildInputs LIBCLANG_PATH;
};
};
forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
in
(utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
overlay = final: prev: (forPkgs final).packages;
};
}

18
initcpio/Makefile Normal file
View File

@ -0,0 +1,18 @@
.PHONY: install remove
install:
install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks
install -Dm644 install/fido2luks -t /usr/lib/initcpio/install
ifdef preset
mkinitcpio -p $(preset)
else
mkinitcpio -P
endif
remove:
rm /usr/lib/initcpio/{hooks,install}/fido2luks
ifdef preset
mkinitcpio -p $(preset)
else
mkinitcpio -P
endif

52
initcpio/README.md Normal file
View File

@ -0,0 +1,52 @@
## fido2luks hook for mkinitcpio (ArchLinux and derivatives)
> ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage
### Setup
1. Connect your FIDO2 authenticator
2. Generate credential id
```shell
fido2luks credential
```
3. Generate salt (random string)
```shell
pwgen 48 1
```
4. Add key to your LUKS2 device
```shell
fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
```
`-P` - request PIN to unlock the authenticator
`-t` - add token (including credential id) to the LUKS2 header
`-e` - wipe all other keys
For the full list of options see `fido2luks add-key --help`
5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf)
Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of
```shell
cryptsetup luksDump <block_device>
```
6. Add fido2luks hook to /etc/mkinitcpio.conf
Before or instead of `encrypt` hook, for example:
```shell
HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
```
7. Recreate initial ramdisk
```shell
mkinitcpio -p <preset>
```

18
initcpio/fido2luks.conf Normal file
View File

@ -0,0 +1,18 @@
# Set credential *ONLY IF* it's not embedded in the LUKS2 header
FIDO2LUKS_CREDENTIAL_ID=
# Encrypted device and its name under /dev/mapper
# Can be overridden by `cryptdevice` kernel parameter
FIDO2LUKS_DEVICE=
FIDO2LUKS_MAPPER_NAME=
FIDO2LUKS_SALT=string:<salt>
# Use specific keyslot (ignore all other slots)
FIDO2LUKS_DEVICE_SLOT=
# Await for an authenticator to be connected (in seconds)
FIDO2LUKS_DEVICE_AWAIT=
# Set to 1 if PIN is required to unlock the authenticator
FIDO2LUKS_ASK_PIN=

55
initcpio/hooks/fido2luks Normal file
View File

@ -0,0 +1,55 @@
#!/usr/bin/ash
run_hook() {
modprobe -a -q dm-crypt >/dev/null 2>&1
. /etc/fido2luks.conf
if [ -z "$cryptdevice" ]; then
device="$FIDO2LUKS_DEVICE"
dmname="$FIDO2LUKS_MAPPER_NAME"
else
IFS=: read cryptdev dmname _cryptoptions <<EOF
$cryptdevice
EOF
if ! device=$(resolve_device "${cryptdev}" ${rootdelay}); then
return 1
fi
fi
options="--salt $FIDO2LUKS_SALT"
if [ "$FIDO2LUKS_ASK_PIN" == 1 ]; then
options="$options --pin"
fi
if [ -n "$FIDO2LUKS_DEVICE_SLOT" ]; then
options="$options --slot $FIDO2LUKS_DEVICE_SLOT"
fi
if [ -n "$FIDO2LUKS_DEVICE_AWAIT" ]; then
options="$options --await-dev $FIDO2LUKS_DEVICE_AWAIT"
fi
# HACK: /dev/tty is hardcoded in rpassword, but not accessible from the ramdisk
# Temporary link it to /dev/tty1
mv /dev/tty /dev/tty.back
ln -s /dev/tty1 /dev/tty
printf "\nAuthentication is required to access the $dmname volume at $device\n"
if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ]; then
fido2luks open-token $device $dmname $options
else
fido2luks open $device $dmname $FIDO2LUKS_CREDENTIAL_ID $options
fi
exit_code=$?
# Restore /dev/tty
mv /dev/tty.back /dev/tty
if [ $exit_code -ne 0 ]; then
printf '\n'
read -s -p 'Press Enter to continue'
printf '\n'
fi
}

31
initcpio/install/fido2luks Normal file
View File

@ -0,0 +1,31 @@
#!/bin/bash
build() {
local mod
add_module dm-crypt
add_module dm-integrity
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules /crypto/
fi
add_binary fido2luks
add_binary dmsetup
add_file /usr/lib/udev/rules.d/10-dm.rules
add_file /usr/lib/udev/rules.d/13-dm-disk.rules
add_file /usr/lib/udev/rules.d/95-dm-notify.rules
add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
add_file /etc/fido2luks.conf /etc/fido2luks.conf
add_runscript
}
help() {
cat <<HELPEOF
This hook allows to decrypt LUKS2 partition using FIDO2 compatible authenticator
HELPEOF
}

33
initramfs-tools/README.md
View File

@ -1,13 +1,34 @@
## Initramfs-tools based systems(Ubuntu and derivatives)
After installation generate your credentials and add keys to your disk as described in the top-level README
then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
For easiest installation [download and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases). However it is possible to build from source via the instructions on the main readme.
Example:
```
sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
sudo -s
# Insert FIDO key.
fido2luks credential
# Tap FIDO key
# Copy returned string <CREDENTIAL>
nano /etc/fido2luks.conf
# Insert <CREDENTIAL>
# FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL>
set -a
. /etc/fido2luks.conf
fido2luks -i add-key /dev/<LUKS PARTITION>
# Current password: <Any current LUKS password>
# Password: <Password used as FIDO challange>
# Tap FIDO key
nano /etc/crypttab
# Append to end ",discard,initramfs,keyscript=fido2luks"
# E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks
update-initramfs -u
```
But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)

4
initramfs-tools/fido2luks.conf
View File

@ -1,3 +1,5 @@
FIDO2LUKS_SALT=Ask
#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
FIDO2LUKS_CREDENTIAL_ID=
FIDO2LUKS_USE_TOKEN=0
FIDO2LUKS_PASSWORD_FALLBACK=1

23
initramfs-tools/keyscript.sh
View File

@ -2,8 +2,29 @@
set -a
. /etc/fido2luks.conf
# Set Defaults
if [ -z "$FIDO2LUKS_USE_TOKEN" ]; then
FIDO2LUKS_USE_TOKEN=0
fi
if [ -z "$FIDO2LUKS_PASSWORD_FALLBACK" ]; then
FIDO2LUKS_PASSWORD_FALLBACK=1
fi
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt 'FIDO2 password salt for $CRYPTTAB_NAME'"
MSG="FIDO2 password salt for $CRYPTTAB_NAME"
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
fi
if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
export FIDO2LUKS_CREDENTIAL_ID="$FIDO2LUKS_CREDENTIAL_ID,$(fido2luks token list --csv $CRYPTTAB_SOURCE)"
fi
fido2luks print-secret --bin
# Fall back to passphrase-based unlock if fido2luks fails
if [ "$?" -gt 0 ] && [ "$FIDO2LUKS_PASSWORD_FALLBACK" -eq 1 ]; then
plymouth ask-for-password --prompt "Password for $CRYPTTAB_SOURCE"
fi

220
pam_mount/fido2luksmounthelper.sh Executable file
View File

@ -0,0 +1,220 @@
#!/bin/bash
#
# This is a rather minimal example Argbash potential
# Example taken from http://argbash.readthedocs.io/en/stable/example.html
#
# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
# ARGBASH_GO()
# needed because of Argbash --> m4_ignore([
### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
# Argbash is a bash code generator used to get arguments parsing right.
# Argbash is FREE SOFTWARE, see https://argbash.io for more info
# Generated online by https://argbash.io/generate
die()
{
local _ret="${2:-1}"
test "${_PRINT_HELP:-no}" = yes && print_help >&2
echo "$1" >&2
exit "${_ret}"
}
begins_with_short_option()
{
local first_option all_short_options='cdmash'
first_option="${1:0:1}"
test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
}
# THE DEFAULTS INITIALIZATION - POSITIONALS
_positionals=()
# THE DEFAULTS INITIALIZATION - OPTIONALS
_arg_credentials_type=
_arg_device=
_arg_mount_point=
_arg_ask_pin="off"
_arg_salt=""
print_help()
{
printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
printf '\t%s\n' "-h, --help: Prints help"
}
parse_commandline()
{
_positionals_count=0
while test $# -gt 0
do
_key="$1"
case "$_key" in
-c|--credentials-type)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_credentials_type="$2"
shift
;;
--credentials-type=*)
_arg_credentials_type="${_key##--credentials-type=}"
;;
-c*)
_arg_credentials_type="${_key##-c}"
;;
-d|--device)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_device="$2"
shift
;;
--device=*)
_arg_device="${_key##--device=}"
;;
-d*)
_arg_device="${_key##-d}"
;;
-m|--mount-point)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_mount_point="$2"
shift
;;
--mount-point=*)
_arg_mount_point="${_key##--mount-point=}"
;;
-m*)
_arg_mount_point="${_key##-m}"
;;
-a|--no-ask-pin|--ask-pin)
_arg_ask_pin="on"
test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
;;
-a*)
_arg_ask_pin="on"
_next="${_key##-a}"
if test -n "$_next" -a "$_next" != "$_key"
then
{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
fi
;;
-s|--salt)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_salt="$2"
shift
;;
--salt=*)
_arg_salt="${_key##--salt=}"
;;
-s*)
_arg_salt="${_key##-s}"
;;
-h|--help)
print_help
exit 0
;;
-h*)
print_help
exit 0
;;
*)
_last_positional="$1"
_positionals+=("$_last_positional")
_positionals_count=$((_positionals_count + 1))
;;
esac
shift
done
}
handle_passed_args_count()
{
local _required_args_string="'operation'"
test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
}
assign_positional_args()
{
local _positional_name _shift_for=$1
_positional_names="_arg_operation "
shift "$_shift_for"
for _positional_name in ${_positional_names}
do
test $# -gt 0 || break
eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
shift
done
}
parse_commandline "$@"
handle_passed_args_count
assign_positional_args 1 "${_positionals[@]}"
# OTHER STUFF GENERATED BY Argbash
### END OF CODE GENERATED BY Argbash (sortof) ### ])
# [ <-- needed because of Argbash
if [ -z ${_arg_mount_point} ]; then
die "Missing '--mount-point' argument"
fi
if [ -z ${_arg_device} ]; then
die "Missing '--device' argument"
fi
ASK_PIN=${_arg_ask_pin}
OPERATION=${_arg_operation}
DEVICE=${_arg_device}
DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
MOUNT_POINT=${_arg_mount_point}
CREDENTIALS_TYPE=${_arg_credentials_type}
SALT=${_arg_salt}
CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
if [ "${OPERATION}" == "mount" ]; then
if [ "${CREDENTIALS_TYPE}" == "external" ]; then
if [ -f ${CONF_FILE_PATH} ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
CREDENTIALS=$(<${CONF_FILE_PATH})
else
die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
fi
printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
else
die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
fi
mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
elif [ "${OPERATION}" == "umount" ]; then
umount ${MOUNT_POINT}
cryptsetup luksClose ${DEVICE_NAME}
else
die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
fi
exit 0
# ] <-- needed because of Argbash

419
src/cli.rs
View File

@ -1,185 +1,36 @@
//! ## Command line interface
//! ### Generating a credential
//! Credentials can be generated by using `fido2luks credential`
//! this command will take an optional string as username your authenticator might be able to display
//!
//! `fido2luks credential 'My 2FA protected disk'`
//!
//! It is advisable to repeat this step and the next step for more than one authenticator, as backup
//! ### Securing a disk
//! To utilise the previously generated credential you simply run
//!
//! `fido2luks -i add-key <device> [<credential>,..]`
//!
//! You can also use `fido2luks -i add-key --exclusive <device> [<credential>,..]`
//!
//! which will add a new key and then remove ALL other keys.
//! This command supports a fair amount of options for instance `--keyfile` which will allow you to
//! add an authenticator to the `<device>`
//!
//! `-f` will utilise an previously added fido protected key to add another one
//!
//! `--token` will store the credential within the LUKS header, making it easily accessible even if
//! you're unable to boot your system.
//!
//!
//! `fido2luks -i replace-key <device> [<credential>,..]`
//! works in a similar fashion but instead of adding a new key it'll update an existing one
//!
//!
//! ### Unlocking a disk
//! To open an LUKS container using your authenticator you simply run
//!
//! `fido2luks -i open <device> <name> [<credential>,..]`
//!
//! if successful your LUKS container will be accessible under `/dev/mapper/<name>`
//! To avoid having to specify your credentials you may want to to use
//!
//! `fido2luks -i open-token <device> <name>`
//!
//! which should even be faster since it allows for the credential to be matched to the right keyslot
//!
//!
//! ### Common options
//!
//! `--salt` Determines what data will be provided to the authenticator in order to derive the secret, the default being `ask` which will prompt the user for an password.
//! Alternatives being `file:<PATH>` where the specified file will be hashed and then used as input, the same goes for the `string:<STRING>` option which will behave in the same manner as the `ask` option.
//!
//! `--pin` Allows for a PIN to be passed to the authenticator if needed, it is however recommended not to use a PIN since the bootscript doesn't support this feature atm.
//!
//! `--help` Will provide context dependant help for each command
use crate::error::*;
use crate::luks::{Fido2LuksToken, LuksDevice};
use crate::util::sha256;
use crate::*;
use cli_args::*;
use structopt::clap::Shell;
use structopt::StructOpt;
use ctap::{FidoCredential, FidoErrorKind};
use failure::_core::fmt::{Display, Error, Formatter};
use failure::_core::str::FromStr;
use failure::_core::time::Duration;
use std::io::Write;
use std::process::exit;
use std::thread;
use crate::luks::{Fido2LuksToken, LuksDevice};
use crate::util::sha256;
use std::io::{Read, Write};
use std::str::FromStr;
use std::thread;
use std::time::Duration;
use std::borrow::Cow;
use std::collections::HashSet;
use std::fs::File;
use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct HexEncoded(pub Vec<u8>);
pub use cli_args::Args;
impl Display for HexEncoded {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
f.write_str(&hex::encode(&self.0))
fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
if let Some(src) = ap.pin_source.as_ref() {
let mut pin = String::new();
File::open(src)?.read_to_string(&mut pin)?;
Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline
} else {
util::read_password("Authenticator PIN", false)
}
}
impl AsRef<[u8]> for HexEncoded {
fn as_ref(&self) -> &[u8] {
&self.0[..]
}
}
impl FromStr for HexEncoded {
type Err = hex::FromHexError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(HexEncoded(hex::decode(s)?))
}
}
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
impl<T: Display + FromStr> Display for CommaSeparated<T> {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
for i in &self.0 {
f.write_str(&i.to_string())?;
f.write_str(",")?;
}
Ok(())
}
}
impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
type Err = <T as FromStr>::Err;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(CommaSeparated(
s.split(',')
.map(|part| <T as FromStr>::from_str(part))
.collect::<Result<Vec<_>, _>>()?,
))
}
}
#[derive(Debug, StructOpt)]
pub struct Credentials {
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub ids: CommaSeparated<HexEncoded>,
}
#[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator
#[structopt(short = "P", long = "pin")]
pub pin: bool,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_time: u64,
}
#[derive(Debug, StructOpt)]
pub struct LuksParameters {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Try to unlock the device using a specifc keyslot, ignore all other slots
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: Option<u32>,
}
#[derive(Debug, StructOpt, Clone)]
pub struct LuksModParameters {
/// Number of milliseconds required to derive the volume decryption key
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
#[structopt(long = "kdf-time", name = "kdf-time")]
kdf_time: Option<u64>,
}
#[derive(Debug, StructOpt)]
pub struct SecretParameters {
/// Salt for secret generation, defaults to 'ask'
///
/// Options:{n}
/// - ask : Prompt user using password helper{n}
/// - file:<PATH> : Will read <FILE>{n}
/// - string:<STRING> : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
#[structopt(
name = "salt",
long = "salt",
env = "FIDO2LUKS_SALT",
default_value = "ask"
)]
pub salt: InputSalt,
/// Script used to obtain passwords, overridden by --interactive flag
#[structopt(
name = "password-helper",
env = "FIDO2LUKS_PASSWORD_HELPER",
default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
)]
pub password_helper: PasswordHelper,
}
fn derive_secret(
credentials: &[HexEncoded],
salt: &[u8; 32],
@ -216,175 +67,16 @@ fn derive_secret(
Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
}
fn read_pin() -> Fido2LuksResult<String> {
util::read_password("Authenticator PIN", false)
}
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(subcommand)]
pub command: Command,
}
#[derive(Debug, StructOpt, Clone)]
pub struct OtherSecret {
/// Use a keyfile instead of a password
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
keyfile: Option<PathBuf>,
/// Use another fido device instead of a password
/// Note: this requires for the credential fot the other device to be passed as argument as well
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
fido_device: bool,
}
#[derive(Debug, StructOpt)]
pub enum Command {
#[structopt(name = "print-secret")]
PrintSecret {
/// Prints the secret as binary instead of hex encoded
#[structopt(short = "b", long = "bin")]
binary: bool,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
},
/// Adds a generated key to the specified LUKS device
#[structopt(name = "add-key")]
AddKey {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")]
exclusive: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)]
existing_secret: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Replace a previously added key with a password
#[structopt(name = "replace-key")]
ReplaceKey {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Add the password and keep the key
#[structopt(short = "a", long = "add-password")]
add_password: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)]
replacement: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Open the LUKS device
#[structopt(name = "open")]
Open {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
},
/// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")]
OpenToken {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
},
/// Generate a new FIDO credential
#[structopt(name = "credential")]
Credential {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator if it has a display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
name: Option<String>,
},
/// Check if an authenticator is connected
#[structopt(name = "connected")]
Connected,
Token(TokenCommand),
}
///LUKS2 token related operations
#[derive(Debug, StructOpt)]
pub enum TokenCommand {
/// List all tokens associated with the specified device
List {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Dump all credentials as CSV
#[structopt(long = "csv")]
csv: bool,
},
/// Add credential to a keyslot
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
},
/// Remove credentials from token(s)
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,
},
/// Remove all unassigned tokens
GC {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
},
}
pub fn parse_cmdline() -> Args {
Args::from_args()
}
pub fn prompt_interaction(interactive: bool) {
if interactive {
println!("Authorize using your FIDO device");
}
}
pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout();
let args = parse_cmdline();
@ -396,12 +88,12 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin()?;
pin_string = read_pin(authenticator)?;
Some(pin_string.as_ref())
} else {
None
};
let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?;
let cred = make_credential_id(Some(name.as_ref()), pin)?;
println!("{}", hex::encode(&cred.id));
Ok(())
}
@ -413,7 +105,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin()?;
pin_string = read_pin(authenticator)?;
Some(pin_string.as_ref())
} else {
None
@ -421,8 +113,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed("Password", false)
} else {
secret.salt.obtain(&secret.password_helper)
secret.salt.obtain_sha256(&secret.password_helper)
}?;
prompt_interaction(interactive);
let (secret, _cred) = derive_secret(
credentials.ids.0.as_slice(),
&salt,
@ -457,7 +150,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
..
} => {
let pin = if authenticator.pin {
Some(read_pin()?)
Some(read_pin(authenticator)?)
} else {
None
};
@ -465,7 +158,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify)
} else {
secret.salt.obtain(&secret.password_helper)
secret.salt.obtain_sha256(&secret.password_helper)
}
};
let other_secret = |salt_q: &str,
@ -478,23 +171,27 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => Ok((util::read_keyfile(file)?, None)),
OtherSecret {
fido_device: true, ..
} => Ok(derive_secret(
&credentials.ids.0,
&salt(salt_q, verify)?,
authenticator.await_time,
pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
} => {
prompt_interaction(interactive);
Ok(derive_secret(
&credentials.ids.0,
&salt(salt_q, verify)?,
authenticator.await_time,
pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
}
_ => Ok((
util::read_password(salt_q, verify)?.as_bytes().to_vec(),
None,
)),
}
};
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
prompt_interaction(interactive);
derive_secret(
&credentials.ids.0,
&salt("Password", verify)?,
&salt(q, verify)?,
authenticator.await_time,
pin.as_deref(),
)
@ -504,7 +201,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
match &args.command {
Command::AddKey { exclusive, .. } => {
let (existing_secret, _) = other_secret("Current password", false)?;
let (new_secret, cred) = secret(true)?;
let (new_secret, cred) = secret("Password to be added", true)?;
let added_slot = luks_dev.add_key(
&new_secret,
&existing_secret[..],
@ -529,7 +226,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Ok(())
}
Command::ReplaceKey { add_password, .. } => {
let (existing_secret, _) = secret(false)?;
let (existing_secret, _) = secret("Current password", false)?;
let (replacement_secret, cred) = other_secret("Replacement password", true)?;
let slot = if *add_password {
luks_dev.add_key(
@ -562,6 +259,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret,
name,
retries,
allow_discards,
..
}
| Command::OpenToken {
@ -570,10 +268,11 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret,
name,
retries,
allow_discards,
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin()?;
pin_string = read_pin(authenticator)?;
Some(pin_string.as_ref())
} else {
None
@ -582,12 +281,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify)
} else {
secret.salt.obtain(&secret.password_helper)
secret.salt.obtain_sha256(&secret.password_helper)
}
};
// Cow shouldn't be necessary
let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
prompt_interaction(interactive);
derive_secret(
credentials.as_ref(),
&salt("Password", false)?,
@ -601,7 +301,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
loop {
let secret = match &args.command {
Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
.and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
.and_then(|(secret, _cred)| {
luks_dev.activate(&name, &secret, luks.slot, *allow_discards)
}),
Command::OpenToken { .. } => luks_dev.activate_token(
&name,
Box::new(|credentials: Vec<String>| {
@ -613,6 +315,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
.map(|(secret, cred)| (secret, hex::encode(&cred.id)))
}),
luks.slot,
*allow_discards,
),
_ => unreachable!(),
};
@ -763,5 +466,17 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Ok(())
}
},
Command::GenerateCompletions { shell, out_dir } => {
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
match shell.as_ref() {
"bash" => Shell::Bash,
"fish" => Shell::Fish,
_ => unreachable!("structopt shouldn't allow us to reach this point"),
},
&out_dir,
);
Ok(())
}
}
}

85
src/config.rs → src/cli_args/config.rs
View File

@ -10,33 +10,33 @@ use std::process::Command;
use std::str::FromStr;
#[derive(Debug, Clone, PartialEq)]
pub enum InputSalt {
pub enum SecretInput {
AskPassword,
String(String),
File { path: PathBuf },
}
impl Default for InputSalt {
impl Default for SecretInput {
fn default() -> Self {
InputSalt::AskPassword
SecretInput::AskPassword
}
}
impl From<&str> for InputSalt {
impl From<&str> for SecretInput {
fn from(s: &str) -> Self {
let mut parts = s.split(':');
match parts.next() {
Some("ask") | Some("Ask") => InputSalt::AskPassword,
Some("file") => InputSalt::File {
Some("ask") | Some("Ask") => SecretInput::AskPassword,
Some("file") => SecretInput::File {
path: parts.collect::<Vec<_>>().join(":").into(),
},
Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")),
Some("string") => SecretInput::String(parts.collect::<Vec<_>>().join(":")),
_ => Self::default(),
}
}
}
impl FromStr for InputSalt {
impl FromStr for SecretInput {
type Err = Fido2LuksError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
@ -44,21 +44,42 @@ impl FromStr for InputSalt {
}
}
impl fmt::Display for InputSalt {
impl fmt::Display for SecretInput {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
f.write_str(&match self {
InputSalt::AskPassword => "ask".to_string(),
InputSalt::String(s) => ["string", s].join(":"),
InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"),
SecretInput::AskPassword => "ask".to_string(),
SecretInput::String(s) => ["string", s].join(":"),
SecretInput::File { path } => ["file", path.display().to_string().as_str()].join(":"),
})
}
}
impl InputSalt {
pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
impl SecretInput {
pub fn obtain_string(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<String> {
Ok(String::from_utf8(self.obtain(password_helper)?)?)
}
pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<Vec<u8>> {
let mut secret = Vec::new();
match self {
SecretInput::File { path } => {
//TODO: replace with try_blocks
let mut do_io = || File::open(path)?.read_to_end(&mut secret);
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
}
SecretInput::AskPassword => {
secret.extend_from_slice(password_helper.obtain()?.as_bytes())
}
SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
}
Ok(secret)
}
pub fn obtain_sha256(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
let mut digest = digest::Context::new(&digest::SHA256);
match self {
InputSalt::File { path } => {
SecretInput::File { path } => {
let mut do_io = || {
let mut reader = File::open(path)?;
let mut buf = [0u8; 512];
@ -73,10 +94,7 @@ impl InputSalt {
};
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
}
InputSalt::AskPassword => {
digest.update(password_helper.obtain()?.as_bytes());
}
InputSalt::String(s) => digest.update(s.as_bytes()),
_ => digest.update(self.obtain(password_helper)?.as_slice()),
}
let mut salt = [0u8; 32];
salt.as_mut().copy_from_slice(digest.finish().as_ref());
@ -135,10 +153,9 @@ impl PasswordHelper {
Systemd => unimplemented!(),
Stdin => Ok(util::read_password("Password", true)?),
Script(password_helper) => {
let mut helper_parts = password_helper.split(' ');
let password = Command::new((&mut helper_parts).next().unwrap())
.args(helper_parts)
let password = Command::new("sh")
.arg("-c")
.arg(&password_helper)
.output()
.map_err(|e| Fido2LuksError::AskPassError {
cause: error::AskPassError::IO(e),
@ -158,24 +175,30 @@ mod test {
#[test]
fn input_salt_from_str() {
assert_eq!(
"file:/tmp/abc".parse::<InputSalt>().unwrap(),
InputSalt::File {
"file:/tmp/abc".parse::<SecretInput>().unwrap(),
SecretInput::File {
path: "/tmp/abc".into()
}
);
assert_eq!(
"string:abc".parse::<InputSalt>().unwrap(),
InputSalt::String("abc".into())
"string:abc".parse::<SecretInput>().unwrap(),
SecretInput::String("abc".into())
);
assert_eq!(
"ask".parse::<SecretInput>().unwrap(),
SecretInput::AskPassword
);
assert_eq!(
"lol".parse::<SecretInput>().unwrap(),
SecretInput::default()
);
assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
}
#[test]
fn input_salt_obtain() {
assert_eq!(
InputSalt::String("abc".into())
.obtain(&PasswordHelper::Stdin)
SecretInput::String("abc".into())
.obtain_sha256(&PasswordHelper::Stdin)
.unwrap(),
[
186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,

299
src/cli_args/mod.rs Normal file
View File

@ -0,0 +1,299 @@
use std::fmt::{Display, Error, Formatter};
use std::path::PathBuf;
use std::str::FromStr;
use structopt::clap::AppSettings;
use structopt::StructOpt;
mod config;
pub use config::*;
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct HexEncoded(pub Vec<u8>);
impl Display for HexEncoded {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
f.write_str(&hex::encode(&self.0))
}
}
impl AsRef<[u8]> for HexEncoded {
fn as_ref(&self) -> &[u8] {
&self.0[..]
}
}
impl FromStr for HexEncoded {
type Err = hex::FromHexError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(HexEncoded(hex::decode(s)?))
}
}
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
impl<T: Display + FromStr> Display for CommaSeparated<T> {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
for i in &self.0 {
f.write_str(&i.to_string())?;
f.write_str(",")?;
}
Ok(())
}
}
impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
type Err = <T as FromStr>::Err;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(CommaSeparated(
s.split(',')
.map(|part| <T as FromStr>::from_str(part))
.collect::<Result<Vec<_>, _>>()?,
))
}
}
#[derive(Debug, StructOpt)]
pub struct Credentials {
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub ids: CommaSeparated<HexEncoded>,
}
#[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator
#[structopt(short = "P", long = "pin")]
pub pin: bool,
/// Location to read PIN from
#[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
pub pin_source: Option<PathBuf>,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_time: u64,
}
#[derive(Debug, StructOpt)]
pub struct LuksParameters {
#[structopt(env = "FIDO2LUKS_DEVICE")]
pub device: PathBuf,
/// Try to unlock the device using a specifc keyslot, ignore all other slots
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
pub slot: Option<u32>,
}
#[derive(Debug, StructOpt, Clone)]
pub struct LuksModParameters {
/// Number of milliseconds required to derive the volume decryption key
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
#[structopt(long = "kdf-time", name = "kdf-time")]
pub kdf_time: Option<u64>,
}
#[derive(Debug, StructOpt)]
pub struct SecretParameters {
/// Salt for secret generation, defaults to 'ask'
///
/// Options:{n}
/// - ask : Prompt user using password helper{n}
/// - file:<PATH> : Will read <FILE>{n}
/// - string:<STRING> : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
#[structopt(
name = "salt",
long = "salt",
env = "FIDO2LUKS_SALT",
default_value = "ask"
)]
pub salt: SecretInput,
/// Script used to obtain passwords, overridden by --interactive flag
#[structopt(
name = "password-helper",
env = "FIDO2LUKS_PASSWORD_HELPER",
default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
)]
pub password_helper: PasswordHelper,
}
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(subcommand)]
pub command: Command,
}
#[derive(Debug, StructOpt, Clone)]
pub struct OtherSecret {
/// Use a keyfile instead of a password
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
pub keyfile: Option<PathBuf>,
/// Use another fido device instead of a password
/// Note: this requires for the credential fot the other device to be passed as argument as well
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
pub fido_device: bool,
}
#[derive(Debug, StructOpt)]
pub enum Command {
#[structopt(name = "print-secret")]
PrintSecret {
/// Prints the secret as binary instead of hex encoded
#[structopt(short = "b", long = "bin")]
binary: bool,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
},
/// Adds a generated key to the specified LUKS device
#[structopt(name = "add-key")]
AddKey {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")]
exclusive: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)]
existing_secret: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Replace a previously added key with a password
#[structopt(name = "replace-key")]
ReplaceKey {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Add the password and keep the key
#[structopt(short = "a", long = "add-password")]
add_password: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)]
replacement: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Open the LUKS device
#[structopt(name = "open")]
Open {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
/// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")]
allow_discards: bool,
},
/// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")]
OpenToken {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
/// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")]
allow_discards: bool,
},
/// Generate a new FIDO credential
#[structopt(name = "credential")]
Credential {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
name: String,
},
/// Check if an authenticator is connected
#[structopt(name = "connected")]
Connected,
Token(TokenCommand),
/// Generate bash completion scripts
#[structopt(name = "completions", setting = AppSettings::Hidden)]
GenerateCompletions {
/// Shell to generate completions for: bash, fish
#[structopt(possible_values = &["bash", "fish"])]
shell: String,
out_dir: PathBuf,
},
}
///LUKS2 token related operations
#[derive(Debug, StructOpt)]
pub enum TokenCommand {
/// List all tokens associated with the specified device
List {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Dump all credentials as CSV
#[structopt(long = "csv")]
csv: bool,
},
/// Add credential to a keyslot
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
},
/// Remove credentials from token(s)
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,
},
/// Remove all unassigned tokens
GC {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
},
}

9
src/error.rs
View File

@ -1,5 +1,9 @@
use ctap::FidoError;
use libcryptsetup_rs::LibcryptErr;
use std::io;
use std::io::ErrorKind;
use std::string::FromUtf8Error;
use Fido2LuksError::*;
pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
@ -81,11 +85,6 @@ impl From<LuksError> for Fido2LuksError {
}
}
use libcryptsetup_rs::LibcryptErr;
use std::io::ErrorKind;
use std::string::FromUtf8Error;
use Fido2LuksError::*;
impl From<FidoError> for Fido2LuksError {
fn from(e: FidoError) -> Self {
AuthenticatorError { cause: e }

25
src/luks.rs
View File

@ -1,8 +1,8 @@
use crate::error::*;
use libcryptsetup_rs::{
CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
TokenInput,
CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
EncryptionFormat, KeyslotInfo, TokenInput,
};
use std::collections::{HashMap, HashSet};
use std::path::Path;
@ -11,7 +11,7 @@ pub struct LuksDevice {
device: CryptDevice,
luks2: Option<bool>,
}
/// Wrapper around [CryptDevice](libcryptsetup_rs::CryptDevice)
impl LuksDevice {
pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
let mut device = CryptInit::init(path.as_ref())?;
@ -22,7 +22,6 @@ impl LuksDevice {
})
}
/// Check whether the device supports LUKS2
pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
if let Some(luks2) = self.luks2 {
Ok(luks2)
@ -35,7 +34,6 @@ impl LuksDevice {
}
}
/// Check whether the device supports LUKS2, return an appropriate error if it does not
fn require_luks2(&mut self) -> Fido2LuksResult<()> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
@ -43,7 +41,6 @@ impl LuksDevice {
Ok(())
}
/// Returns an iterator over all tokens, of type fido2luks
pub fn tokens<'a>(
&'a mut self,
) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
@ -87,7 +84,6 @@ impl LuksDevice {
))
}
/// Returns the first token with an reference to the specified keyslot
pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
let slot_str = slot.to_string();
for token in self.tokens()? {
@ -126,8 +122,6 @@ impl LuksDevice {
Ok(())
}
/// Add a new key `secret` using `old_secret` with the specified `iteration_time` in milliseconds
/// an LUKS2 token will be created if the device supports LUKS2 and a `credential_id` is provided
pub fn add_key(
&mut self,
secret: &[u8],
@ -181,8 +175,6 @@ impl LuksDevice {
Ok(destroyed)
}
/// Replaces an existing key with `secret` using `old_secret` with the specified `iteration_time` in milliseconds
/// an LUKS2 token will be created or updated if the device supports LUKS2 and a `credential_id` is provided
pub fn replace_key(
&mut self,
secret: &[u8],
@ -229,10 +221,15 @@ impl LuksDevice {
name: &str,
secret: &[u8],
slot_hint: Option<u32>,
allow_discard: bool,
) -> Fido2LuksResult<u32> {
let mut flags = CryptActivateFlags::empty();
if allow_discard {
flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
}
self.device
.activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
.activate_by_passphrase(Some(name), slot_hint, secret, flags)
.map_err(LuksError::activate)
}
@ -241,6 +238,7 @@ impl LuksDevice {
name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>,
allow_discard: bool,
) -> Fido2LuksResult<u32> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
@ -284,7 +282,7 @@ impl LuksDevice {
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
);
for slot in slots {
match self.activate(name, &secret, slot) {
match self.activate(name, &secret, slot, allow_discard) {
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}
@ -293,7 +291,6 @@ impl LuksDevice {
}
}
/// Represents a LUKS2 token
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Fido2LuksToken {
#[serde(rename = "type")]

115
src/main.rs
View File

@ -1,126 +1,16 @@
//! This will allow you to unlock your luks encrypted disk with an fido2 compatible key
//!
//! Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
//!
//! ## Setup
//!
//! ### Prerequisites
//!
//! ```
//! dnf install clang cargo cryptsetup-devel -y
//! ```
//!
//! ### Device
//!
//! ```
//! git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
//!
//! # Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
//! sudo -E cargo install -f --path . --root /usr
//!
//! # Copy template
//! cp dracut/96luks-2fa/fido2luks.conf /etc/
//! # Name is optional but useful if your authenticator has a display
//! echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
//!
//! # Load config into env
//! set -a
//! . /etc/fido2luks.conf
//!
//! # Repeat for each luks volume
//! # You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
//! # enabling you to use `fido2luks open-token` without passing a credential as parameter
//! sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
//!
//! # Test(only works if the luks container isn't active)
//! sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
//!
//! ```
//!
//! ### Dracut
//!
//! ```
//! cd dracut
//!
//! sudo make install
//! ```
//!
//! ### Grub
//!
//! Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
//!
//! Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
//!
//! ```
//! grub2-mkconfig > /boot/grub2/grub.cfg
//! ```
//!
//! I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
//!
//! ```
//! mkdir /boot/fido2luks/
//! cp /usr/bin/fido2luks /boot/fido2luks/
//! cp /etc/fido2luks.conf /boot/fido2luks/
//! ```
//!
//! ## Test
//!
//! Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
//!
//! ```
//! # Recommend in case you lose your authenticator, store this backupfile somewhere safe
//! cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
//! # There is no turning back if you mess this up, make sure you made a backup
//! # You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
//! # which will enable you to use `fido2luks open-token` without passing a credential as parameter
//! fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
//! ```
//!
//! ## Addtional settings
//!
//! ### Password less
//!
//! Remove your previous secret as described in the next section, in case you've already added one.
//!
//! Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
//! but be warned that this password will be included to into your initramfs.
//!
//! Import the new config into env:
//!
//! ```
//! set -a
//! . /etc/fido2luks.conf
//! ```
//!
//! Then add the new secret to each device and update dracut afterwards `dracut -f`
//!
//! ## Removal
//!
//! Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
//!
//! ```
//! set -a
//! . fido2luks.conf
//! sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
//!
//! sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
//!```
#[macro_use]
extern crate failure;
extern crate ctap_hmac as ctap;
#[macro_use]
extern crate serde_derive;
use crate::cli::*;
use crate::config::*;
use crate::device::*;
use crate::error::*;
use std::io;
use std::path::PathBuf;
use std::process::exit;
mod cli;
mod config;
pub mod cli_args;
mod device;
mod error;
mod luks;
@ -129,10 +19,7 @@ mod util;
fn main() -> Fido2LuksResult<()> {
match run_cli() {
Err(e) => {
#[cfg(debug_assertions)]
eprintln!("{:?}", e);
#[cfg(not(debug_assertions))]
eprintln!("{}", e);
exit(e.exit_code())
}
_ => exit(0),