From c7c5a0dd2a79ad64417502de897797ae80eb8382 Mon Sep 17 00:00:00 2001 From: Andrew-Finn <44867518+Andrew-Finn@users.noreply.github.com> Date: Wed, 12 Aug 2020 21:04:47 +0100 Subject: [PATCH 1/5] Update README.md Added documentation for multiple credentials & style changes --- README.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bcacee4..f655d22 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks) -This will allow you to unlock your luks encrypted disk with an fido2 compatible key +This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key. Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T @@ -96,10 +96,18 @@ set -a Then add the new secret to each device and update dracut afterwards `dracut -f` +### Multiple keys + +Additional/backup keys are supported, Multiple fido2luks credentials can be addded to your /etc/fido2luks.conf file. Crendetial tokens are comma seperated. + +``` +FIDO2LUKS_CREDENTIAL_ID=,, + +``` + ## Removal Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub - ``` set -a . fido2luks.conf @@ -108,6 +116,7 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/ sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf ``` + ## License Licensed under From dde6db0fcf289bbae1edf44a9c76da9c1888385a Mon Sep 17 00:00:00 2001 From: Andrew-Finn <44867518+Andrew-Finn@users.noreply.github.com> Date: Wed, 12 Aug 2020 21:27:33 +0100 Subject: [PATCH 2/5] Inital Ubuntu install steps --- initramfs-tools/README.md | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/initramfs-tools/README.md b/initramfs-tools/README.md index 63f11a2..ed13fad 100644 --- a/initramfs-tools/README.md +++ b/initramfs-tools/README.md @@ -1,13 +1,33 @@ ## Initramfs-tools based systems(Ubuntu and derivatives) -After installation generate your credentials and add keys to your disk as described in the top-level README -then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab` +[Dowload and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases) -Example: -``` -sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks ``` +sudo -s + +# Insert FIDO key. +fido2luks credential +# Tap FIDO key +# Copy returned string + +nano /etc/fido2luks.conf +# Insert +# FIDO2LUKS_CREDENTIAL_ID= + +set -a +. /etc/fido2luks.conf +fido2luks -i add-key /dev/ +# Current password: +# Password: +# Tap FIDO key -But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid. +nano /etc/crypttab +# Append to end ",discard,initramfs,keyscript=fido2luks" +# E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks + +update-initramfs + + +``` -[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg) \ No newline at end of file +[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg) From 99bd872deefd3f277184b8f7144449daf45226ca Mon Sep 17 00:00:00 2001 From: Andrew-Finn <44867518+Andrew-Finn@users.noreply.github.com> Date: Wed, 12 Aug 2020 21:29:04 +0100 Subject: [PATCH 3/5] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index f655d22..a754c64 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,6 @@ Additional/backup keys are supported, Multiple fido2luks credentials can be addd ``` FIDO2LUKS_CREDENTIAL_ID=,, - ``` ## Removal From ed2ce452a54a168bd71ffe498a19a7fcb9c06828 Mon Sep 17 00:00:00 2001 From: Andrew-Finn <44867518+Andrew-Finn@users.noreply.github.com> Date: Wed, 12 Aug 2020 21:30:08 +0100 Subject: [PATCH 4/5] Update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index a754c64..0466c36 100644 --- a/README.md +++ b/README.md @@ -98,8 +98,7 @@ Then add the new secret to each device and update dracut afterwards `dracut -f` ### Multiple keys -Additional/backup keys are supported, Multiple fido2luks credentials can be addded to your /etc/fido2luks.conf file. Crendetial tokens are comma seperated. - +Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated. ``` FIDO2LUKS_CREDENTIAL_ID=,, ``` From 1f1c2d2c1b5ac66238a98489db428d9e5b5b7052 Mon Sep 17 00:00:00 2001 From: Andrew-Finn <44867518+Andrew-Finn@users.noreply.github.com> Date: Wed, 12 Aug 2020 21:32:30 +0100 Subject: [PATCH 5/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0466c36..4879420 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ cp /usr/bin/fido2luks /boot/fido2luks/ cp /etc/fido2luks.conf /boot/fido2luks/ ``` -## Test +## Testing Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header: