Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added documentation and tweaked readme #12

Closed
wants to merge 5 commits into from
Closed

Added documentation and tweaked readme #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c7c5a0d
Update README.md
Andrew-Finn Aug 12, 2020
dde6db0
Inital Ubuntu install steps
Andrew-Finn Aug 12, 2020
99bd872
Update README.md
Andrew-Finn Aug 12, 2020
ed2ce45
Update README.md
Andrew-Finn Aug 12, 2020
1f1c2d2
Update README.md
Andrew-Finn Aug 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)

This will allow you to unlock your luks encrypted disk with an fido2 compatible key
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.

Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T

Expand Down Expand Up @@ -65,7 +65,7 @@ cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/
```

## Test
## Testing

Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:

Expand Down Expand Up @@ -96,10 +96,16 @@ set -a

Then add the new secret to each device and update dracut afterwards `dracut -f`

### Multiple keys

Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
```
FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
```

## Removal

Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub

```
set -a
. fido2luks.conf
Expand All @@ -108,6 +114,7 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
```


## License

Licensed under
Expand Down
34 changes: 27 additions & 7 deletions initramfs-tools/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,33 @@
## Initramfs-tools based systems(Ubuntu and derivatives)

After installation generate your credentials and add keys to your disk as described in the top-level README
then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
[Dowload and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Linking the deb is a good idea however it be good to hint that installation from source is possible


Example:
```
sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
```
sudo -s

# Insert FIDO key.
fido2luks credential
# Tap FIDO key
# Copy returned string <CREDENTIAL>

nano /etc/fido2luks.conf
# Insert <CREDENTIAL>
# FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL>

set -a
. /etc/fido2luks.conf
fido2luks -i add-key /dev/<LUKS PARTITION>
# Current password: <Any current LUKS password>
# Password: <Password used as FIDO challange>
# Tap FIDO key

But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
nano /etc/crypttab
# Append to end ",discard,initramfs,keyscript=fido2luks"
# E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks

update-initramfs
Andrew-Finn marked this conversation as resolved.
Show resolved Hide resolved


```

[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)