[![Crates.io](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
# fido2luks

This will allow you to unlock your luks encrypted disk with an fido2 compatible key

Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T

### Setup

#### Prerequisites

```rust
dnf install clang cargo cryptsetup-devel -y
```

#### Device

```rust
git clone https://github.com/shimunn/fido2luks.git && cd fido2luks

sudo -E cargo install -f --path . --root /usr

cp dracut/96luks-2fa/fido2luks.conf /etc/
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf

set -a
. /etc/fido2luks.conf

sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>

sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>

```

#### Dracut

```rust
cd dracut

sudo make install
```

#### Grub

Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub

Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`

```rust
grub2-mkconfig > /boot/grub2/grub.cfg
```

I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system

```rust
mkdir /boot/fido2luks/
cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/
```

### Test

Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:

```rust
cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
```

### Addtional settings

#### Password less

Remove your previous secret as described in the next section, in case you've already added one.

Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
but be warned that this password will be included to into your initramfs.

Import the new config into env:

```rust
set -a
. /etc/fido2luks.conf
```

Then add the new secret to each device and update dracut afterwards `dracut -f`

### Removal

Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub

```rust
set -a
. fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>

sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
```

## License

Licensed under either of

* Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or https://www.apache.org/licenses/LICENSE-2.0)
* MIT license ([LICENSE-MIT](LICENSE-MIT) or https://opensource.org/licenses/MIT)

at your option.

### Contribution

Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in the work by you, as defined in the Apache-2.0
license, shall be dual licensed as above, without any additional terms or
conditions.