shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity
106 Commits 28 Branches 21 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
shimun 6f6c84ddba
skip luks2 check until underlying issue is fixed
2020-06-07 14:14:51 +02:00
dracut
Added --await-dev flag
2020-01-13 23:23:45 +01:00
src
skip luks2 check until underlying issue is fixed
2020-06-07 14:14:51 +02:00
.drone.yml
0.2.0
2019-09-22 21:19:33 +02:00
.gitignore
skel
2019-09-14 22:56:57 +02:00
Cargo.lock
update libcryptsetup_rs to 0.4.0
2020-06-06 22:43:18 +02:00
Cargo.toml
update libcryptsetup_rs to 0.4.0
2020-06-06 22:43:18 +02:00
fido2luks.conf
instructions
2019-09-19 18:48:05 +02:00
LICENSE
instructions
2019-09-19 18:48:05 +02:00
README.md
mention clang build dependency
2020-04-06 22:52:15 +02:00

README.md

fido2luks Crates.io Version

This will allow you to unlock your luks encrypted disk with an fido2 compatible key

Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T

Setup

Prerequisites

dnf install clang cargo cryptsetup-devel -y

Device

git clone https://github.com/shimunn/fido2luks.git && cd fido2luks

# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
sudo -E cargo install -f --path . --root /usr

# Copy template
cp dracut/96luks-2fa/fido2luks.conf /etc/
# Name is optional but useful if your authenticator has a display
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf

# Load config into env
set -a
. /etc/fido2luks.conf

# Repeat for each luks volume
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>

# Test(only works if the luks container isn't active)
sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>

Dracut

cd dracut

sudo make install

Grub

Add rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID> to GRUB_CMDLINE_LINUX in /etc/default/grub

Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using fido2luks add-key

grub2-mkconfig > /boot/grub2/grub.cfg

I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system

mkdir /boot/fido2luks/
cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/

Test

Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:

# Recommend in case you lose your authenticator, store this backupfile somewhere safe
cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
# There is no turning back if you mess this up, make sure you made a backup
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>

Addtional settings

Password less

Remove your previous secret as described in the next section, in case you've already added one.

Open /etc/fido2luks.conf and replace FIDO2LUKS_SALT=Ask with FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING> but be warned that this password will be included to into your initramfs.

Import the new config into env:

set -a
. /etc/fido2luks.conf

Then add the new secret to each device and update dracut afterwards dracut -f

Removal

Remove rd.luks.2fa from GRUB_CMDLINE_LINUX in /etc/default/grub

set -a
. fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>

sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
Description
No description provided
Readme 554 KiB
Languages
Rust 73.7%
Shell 21.7%
Nix 2.7%
Makefile 1.9%