shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity
fido2luks/README_NEW.md
shimun f37ad8e78b
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
update readme
2020-10-27 15:53:21 +01:00

3.0 KiB
Raw Blame History

fido2luks Crates.io Version

This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.

Note: This has only been tested under Fedora 31, Ubuntu 20.04, NixOS using a Solo Key, Trezor Model T

Installation

From Source

Installing from source requires the following dependencies:

Ubuntu: cargo, libclang-dev, libcryptsetup-dev >= 2.2

Fedora: cargo, clang-devel, cryptsetup-devel

To compile the fido2luks binary you can simply run sudo cargo install --root /usr fido2luks but since you may want to install the scripts included it this repo as well, it's recommended to clone the repo and install from there.

git clone https://github.com/shimunn/fido2luks.git cargo install --root /usr --path fido2luks

Continue with further instructions for Ubuntu or Fedora

From Package

Ubuntu: see releases

NixOS: https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2

ArchLinux:

Fedora: coming soon

Credentials

Depending on the version of cryptsetup and the age of your installation your LUKS header might be in the LUKS2 format already if that's the case fido2luks will be able to spare you from dealing with just another config file by simply storeing all the required information within your LUKS header. If your header is still using the LUKS1 format you may convert it:

cryptsetup convert --type luks2 <device>

if you want to keep using LUKS1 due to other software such as pam_mount not being compatible with LUKS2 at the moment, you will have to generate credentials by hand an add them to /etc/fido2luks.conf otherwise you can skip this step.

fido2luks credential [optional name]

the generated hexadecimal credential can then be added to FIDO2LUKS_CREDENTIAL_ID= in /etc/fido2luks.conf multiple credentials can be separated by comma.

Adding a Key

If you had to generate a credential in the previous step you'll have to provide it to the following commands as a parameter or via an environment variable:

set -a
. /etc/fido2luks.conf

To then add the key you need to have your current password/keyfile ready:

without having generated a credential in the previous step: fido2luks -i add-key --gen-cred <device>

with a keyfile: fido2luks -i add-key --keyfile <path-to-keyfile <device>

if you've confirmed at a later stage that everything works as expected you may want to remove your keyfile/password by running the previous commands with the --exclusive flag which will remove all other keys from the device.

Replacing a Key

with password: fido2luks -i replace-key <device>

with keyfile: fido2luks -i replace-key -d <path-to-keyfile> <device>

with another fido2 derived key: fido2luks -i replace-key -f <device>