shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

initramfs-tools #3

Merged
shimun merged 2 commits from initramfs-tools into master 2020-07-03 15:54:46 +02:00
Conversation 0 Commits 2 Files Changed 7 +395 -1
7 changed files with 395 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -2,7 +2,7 @@
This will allow you to unlock your luks encrypted disk with an fido2 compatible key
Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
## Setup

23
initramfs-tools/Makefile Normal file
View File

@ -0,0 +1,23 @@
.PHONY: install clean
DRACUT_MODULES_D=/usr/lib/dracut/modules.d
DRACUT_CONF_D=/etc/dracut.conf.d
MODULE_CONF_D=dracut.conf.d
MODULE_CONF=luks-2fa.conf
MODULE_DIR=96luks-2fa
help:
@echo make help to show this help
@echo make install to install
@echo make clean to remove
install:
chmod +x hook/fido2luks.sh keyscript.sh
cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
mkdir -p /usr/share/fido2luks
cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
update-initramfs -u
remove:
rm /etc/initramfs-tools/hooks/fido2luks.sh
update-initramfs -u

13
initramfs-tools/README.md Normal file
View File

@ -0,0 +1,13 @@
## Initramfs-tools based systems(Ubuntu and derivatives)
After installation generate your credentials and add keys to your disk as described in the top-level README
then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
Example:
```
sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
```
But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)

3
initramfs-tools/fido2luks.conf Normal file
View File

@ -0,0 +1,3 @@
FIDO2LUKS_SALT=Ask
#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
FIDO2LUKS_CREDENTIAL_ID=

14
initramfs-tools/hook/fido2luks.sh Executable file
View File

@ -0,0 +1,14 @@
#!/bin/sh
case "$1" in
prereqs)
echo ""
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
copy_exec /usr/bin/fido2luks
exit 0

9
initramfs-tools/keyscript.sh Executable file
View File

@ -0,0 +1,9 @@
#!/bin/sh
set -a
. /etc/fido2luks.conf
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt 'FIDO2 password salt for $CRYPTTAB_NAME'"
fi
fido2luks print-secret --bin

332
initramfs-tools/setup.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 550 KiB