shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity
fido2luks/README_NEW.md
shimun f37ad8e78b
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
update readme
2020-10-27 15:53:21 +01:00

80 lines
3.0 KiB
Markdown
Raw Blame History

# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
## Installation
### From Source
Installing from source requires the following dependencies:
Ubuntu: `cargo, libclang-dev, libcryptsetup-dev >= 2.2`
Fedora: `cargo, clang-devel, cryptsetup-devel`
To compile the fido2luks binary you can simply run `sudo cargo install --root /usr fido2luks` but since you may want to install the scripts included it this repo as well,
it's recommended to clone the repo and install from there.
``
git clone https://github.com/shimunn/fido2luks.git
cargo install --root /usr --path fido2luks
``
Continue with further instructions for [Ubuntu](initramfs-tools) or [Fedora](dracut)
### From Package
Ubuntu: see [releases](https://github.com/shimunn/fido2luks/releases)
NixOS: https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2
ArchLinux:
* [AUR](https://aur.archlinux.org/packages/fido2luks/)
* [Git](PKGBUILD)
Fedora: coming soon
## Credentials
Depending on the version of cryptsetup and the age of your installation your LUKS header might be in the LUKS2 format already if that's the case fido2luks will be able to spare you from dealing with just another config file by simply storeing all the required information within your LUKS header.
If your header is still using the LUKS1 format you may convert it:
```
cryptsetup convert --type luks2 <device>
```
if you want to keep using LUKS1 due to other software such as pam_mount not being compatible with LUKS2 at the moment, you will have to generate credentials by hand an add them to `/etc/fido2luks.conf` otherwise you can skip this step.
```
fido2luks credential [optional name]
```
the generated hexadecimal credential can then be added to `FIDO2LUKS_CREDENTIAL_ID=` in `/etc/fido2luks.conf` multiple credentials can be separated by comma.
## Adding a Key
If you had to generate a credential in the previous step you'll have to provide it to the following commands as a parameter or via an environment variable:
```
set -a
. /etc/fido2luks.conf
```
To then add the key you need to have your current password/keyfile ready:
without having generated a credential in the previous step: `fido2luks -i add-key --gen-cred <device>`
with a keyfile: `fido2luks -i add-key --keyfile <path-to-keyfile <device>`
if you've confirmed at a later stage that everything works as expected you may want to remove your keyfile/password by running the previous commands with the `--exclusive` flag which will remove all other keys from the device.
## Replacing a Key
with password: `fido2luks -i replace-key <device>`
with keyfile: `fido2luks -i replace-key -d <path-to-keyfile> <device>`
with another fido2 derived key: `fido2luks -i replace-key -f <device>`
Reference in New Issue View Git Blame Copy Permalink