Go to file

continuous-integration/drone/push Build is failing

Details

switch to license compatible with all dependencies

2020-07-26 20:47:29 +02:00

dracut

Added --await-dev flag

2020-01-13 23:23:45 +01:00

initramfs-tools

refuse removal while crypttab depends on keyscript

2020-07-03 16:21:35 +02:00

src

generate README from docs

2020-07-26 20:47:29 +02:00

.drone.yml

generate README from docs

2020-07-26 20:47:29 +02:00

.gitignore

skel

2019-09-14 22:56:57 +02:00

Cargo.lock

add non existing token

2020-06-19 20:09:36 +02:00

Cargo.toml

generate README from docs

2020-07-26 20:47:29 +02:00

fido2luks.conf

instructions

2019-09-19 18:48:05 +02:00

LICENSE

generate README from docs

2020-07-26 20:47:29 +02:00

README.md

generate README from docs

2020-07-26 20:47:29 +02:00

README.tpl

generate README from docs

2020-07-26 20:47:29 +02:00

README.md

fido2luks

This will allow you to unlock your luks encrypted disk with an fido2 compatible key

Note: This has only been tested under Fedora 31, Ubuntu 20.04, NixOS using a Solo Key, Trezor Model T

Setup

Prerequisites

dnf install clang cargo cryptsetup-devel -y

Device

git clone https://github.com/shimunn/fido2luks.git && cd fido2luks

sudo -E cargo install -f --path . --root /usr

cp dracut/96luks-2fa/fido2luks.conf /etc/
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf

set -a
. /etc/fido2luks.conf

sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>

sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>

Dracut

cd dracut

sudo make install

Grub

Add rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID> to GRUB_CMDLINE_LINUX in /etc/default/grub

Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using fido2luks add-key

grub2-mkconfig > /boot/grub2/grub.cfg

I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system

mkdir /boot/fido2luks/
cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/

Test

Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:

cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>

Addtional settings

Password less

Remove your previous secret as described in the next section, in case you've already added one.

Open /etc/fido2luks.conf and replace FIDO2LUKS_SALT=Ask with FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING> but be warned that this password will be included to into your initramfs.

Import the new config into env:

set -a
. /etc/fido2luks.conf

Then add the new secret to each device and update dracut afterwards dracut -f

Removal

Remove rd.luks.2fa from GRUB_CMDLINE_LINUX in /etc/default/grub

set -a
. fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>

sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf

License

Licensed under the Mozilla Public License 2.0, (LICENSE-MPL or https://www.mozilla.org/en-US/MPL/2.0/)

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the MPL 2.0 license, shall be dual licensed as above, without any additional terms or conditions.