Decrypt your LUKS partition using a FIDO2 compatible authenticator

Related tags

Cryptography u2f luks cryptsetup fido2
Overview

fido2luks Crates.io Version

This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.

Note: This has only been tested under Fedora 31, Ubuntu 20.04, NixOS using a Solo Key, Trezor Model T, YubiKey(fw >= 5.2.3)

Setup

Prerequisites

dnf install clang cargo cryptsetup-devel -y

Device

git clone https://github.com/shimunn/fido2luks.git && cd fido2luks

# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
sudo -E cargo install -f --path . --root /usr

# Copy template
cp dracut/96luks-2fa/fido2luks.conf /etc/
# Name is optional but useful if your authenticator has a display
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf

# Load config into env
set -a
. /etc/fido2luks.conf

# Repeat for each luks volume
# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
# enabling you to use `fido2luks open-token` without passing a credential as parameter
sudo -E fido2luks -i add-key /dev/disk/by-uuid/
   
    

# Test(only works if the luks container isn't active)
sudo -E fido2luks -i open /dev/disk/by-uuid/
    
      luks-

Dracut

cd dracut

sudo make install

Grub

Add rd.luks.2fa= : to GRUB_CMDLINE_LINUX in /etc/default/grub

Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using fido2luks add-key

grub2-mkconfig > /boot/grub2/grub.cfg

I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system

mkdir /boot/fido2luks/
cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/

Testing

Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:

# Recommend in case you lose your authenticator, store this backupfile somewhere safe
cryptsetup luksHeaderBackup /dev/disk/by-uuid/
   
     --header-backup-file luks_backup_
    
     
# There is no turning back if you mess this up, make sure you made a backup
# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
# which will enable you to use `fido2luks open-token` without passing a credential as parameter
fido2luks -i add-key --exclusive /dev/disk/by-uuid/

Addtional settings

Password less

Remove your previous secret as described in the next section, in case you've already added one.

Open /etc/fido2luks.conf and replace FIDO2LUKS_SALT=Ask with FIDO2LUKS_SALT=string: but be warned that this password will be included to into your initramfs.

Import the new config into env:

set -a
. /etc/fido2luks.conf

Then add the new secret to each device and update dracut afterwards dracut -f

Multiple keys

Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.

FIDO2LUKS_CREDENTIAL_ID=
   
    ,
    
     ,

Removal

Remove rd.luks.2fa from GRUB_CMDLINE_LINUX in /etc/default/grub

set -a
. fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/
   
    

sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf

Theory of operation

fido2luks builds on two basic building blocks, LUKS as an abstraction over linux disk encryption and and the FIDO2 extension hmac-secret. The hmac-secret extension allows for an secret to be dervied on the FIDO2 device from two inputs, the user supplied salt/password/keyfile and another secret contained within the FID2 device. The output of the hmac-secret function will then be used to decrypt the LUKS header which in turn is used to decrypt the disk.


        +-------------------------------------------------------------------------------+
        |                                                                               |
        |                       +-----------------------------------------+             |
        |                       |               FIDO2 device              |             |
        |                       |                                         |             |
        |                       |                                         |             |
+-------+--------+   +------+   |                      +---------------+  |             |             +------------------------+
| Salt/Password  +-> |sha256+------------------------> |               |  |             v             |      LUKS header       |
+----------------+   +------+   |                      |               |  |                           |                        |           +---------------+   
                                |                      |               |  |        +--------+         +------------------------+-------->  |Disk master key| 
                                |                      |  sha256_hmac  +---------> | sha256 +-------> | Keyslot 1              |           +---------------+ 
+----------------+              |  +----------+        |               |  |        +--------+         +------------------------+
| FIDO credential+---------------> |Credential| +----> |               |  |                           | Keyslot 2              |
+----------------+              |  |secret    |        |               |  |                           +------------------------+
                                |  +----------+        +---------------+  |
                                |                                         |
                                |                                         |
                                +-----------------------------------------+

Since all these components build upon each other losing or damaging just one of them will render the disk undecryptable, it's threfore of paramount importance to backup the LUKS header and ideally set an backup password or utilise more than one FIDO2 device. Each additional credential and password combination will require it's own LUKS keyslot since the credential secret is randomly generated for each new credential and will thus result in a completly different secret.

License

Licensed under

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the MPL 2.0 license, shall be licensed as above, without any additional terms or conditions.

Comments
  • No such device or address (os error 6) during boot

    No such device or address (os error 6) during boot

    During the initrd process on system boot(Archlinux), I am running fido2luks print-secret --pin to get the response from solokey but getting the No such device or address error. But solokey is detected during initrd and I confirmed with fido2luks connected command. https://github.com/saravanan30erd/solokey-full-disk-encryption/blob/master/hooks/skfde In what cases we get this error?

    opened by saravanan30erd 13
  • Added an helper script to be used with pam_mount

    Added an helper script to be used with pam_mount

    As we discussed in #20 . Feel free to integrate it :) I modified the PKGBUILD and cargo file to install the script but I am not sure of the path. Can you check it before merging ?

    opened by aacebedo 10
  • Error while decoding CBOR from device when using Yubikey 5 Nano

    Error while decoding CBOR from device when using Yubikey 5 Nano

    This sounds the same as #4 , however for me it's even failing at step 1; generating the credential

    fido2luks credential
authenticator error: Error while decoding CBOR from device.


    Device type: YubiKey 5 Nano
Serial number: xxxxxxxxx
Firmware version: 5.2.4
Form factor: Nano (USB-A)
Enabled USB interfaces: OTP+FIDO+CCID

Applications
OTP     	Enabled	
FIDO U2F	Enabled	
OpenPGP 	Enabled	
PIV     	Enabled	
OATH    	Enabled	
FIDO2   	Enabled	

    getrandom("\xe7\x29\x0b\x6c\x13\xe4\x98\x49\x7d\xe0\xb3\x8c\xfb\x6a\x70\x27", 16, GRND_NONBLOCK) = 16
openat(AT_FDCWD, "/sys/class/hidraw", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
getdents64(3, /* 9 entries */, 32768)   = 272
openat(AT_FDCWD, "/sys/class/hidraw/hidraw6/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
fcntl(6, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
statx(0, NULL, AT_STATX_SYNC_AS_STAT, STATX_ALL, NULL) = -1 EFAULT (Bad address)
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\f\t\1\241\1\205\1\25\0%\1u\1\t\351\t\352\225\2\201\2\t\265\t\315\t\266\225\3\201\6"..., 4097) = 85
read(6, "", 4012)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw4/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\2\241\1\t\1\241\0\5\t\31\1)\20\25\0%\1\225\20u\1\201\2\5\1\26\1\200&"..., 4097) = 67
read(6, "", 4030)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw2/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\6\241\1\5\7\31\340)\347\25\0%\1u\1\225\10\201\2\225\1u\10\201\1\225\5u\1"..., 4097) = 65
read(6, "", 4032)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw0/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\6\241\1\5\7\31\340)\347\25\0%\1u\1\225\10\201\2\225\1u\10\201\1\225\5u\1"..., 4097) = 71
read(6, "", 4026)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw5/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\6\241\1\205\1\5\7\31\340)\347\25\0%\1u\1\225\10\201\2\201\3\225\6u\10\25\0"..., 4097) = 151
read(6, "", 3946)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw3/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\5\f\t\1\241\1\205\1\25\0%\1u\1\225\7\t\315\t\267\t\266\t\265\t\342\t\352\t\351"..., 4097) = 74
read(6, "", 4023)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw1/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\6\320\361\t\1\241\1\t \25\0&\377\0u\10\225@\201\2\t!\25\0&\377\0u\10\225@\221"..., 4097) = 34
read(6, "", 4063)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/dev/hidraw1", O_RDWR|O_CLOEXEC) = 6
getrandom("", 0, GRND_NONBLOCK)         = 0
getrandom("\x6d\xd2\xdd\xa5\x37\x2a\x98\x7a\xbb\xad\xb4\xbc\xcc\x18\xbf\x42\x2b\x6f\xfc\x8d\xba\xf1\x61\xa0\x6c\xf8\xa5\xea\x77\xf9\x31\xbc", 32, GRND_NONBLOCK) = 32
write(6, "\0\377\377\377\377\206\0\10\203\350\351I\37\"\372\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(6, "\377\377\377\377\206\0\21\203\350\351I\37\"\372\251\0'\0\2\2\5\2\4\5\0\0\0\0\0\0\0\0"..., 64) = 64
write(6, "\0\0'\0\2\220\0\1\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(6, "\0'\0\2\220\0\277\0\252\1\203fU2F_V2hFIDO_2_0lFIDO"..., 64) = 64
read(6, "\0'\0\2\0et\3P\356\210(yr\34I\23\227u=\374\316\227\7*\4\245brk\365b"..., 64) = 64
read(6, "\0'\0\2\1gmtPreview\365\5\31\4\260\6\201\1\7\10\10\30\200\t\201cu"..., 64) = 64
read(6, "\0'\0\2\2dtypejpublic-key\0\0\0\0\0\0\0\0\0\0\0"..., 64) = 64
close(6)                                = 0
close(3)                                = 0
write(2, "authenticator error: ", 21authenticator error: )   = 21
write(2, "Error while decoding CBOR from d"..., 38Error while decoding CBOR from device.) = 38
write(2, "\n", 1
)                       = 1
sigaltstack({ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=8192}, NULL) = 0
munmap(0x7f037e337000, 8192)            = 0
exit_group(3)                           = ?
+++ exited with 3 +++
    opened by arianvp 9
  • Use with pam_mount

    Use with pam_mount

    I successfully created a luks container and mounted it with fido2luks (great tool BTW !) I would like to integrate it with pam_mount and I don't know where to begin.

    My current setup dynamically opens a luks container containing my home when I logged in through lightdm. The password of my session and of my container are the same so I enter the password just one time, it is used by lightdm and passed to cryptsetup to open the container.

    I would like to use my U2F key to mount the luks container. As I use a solokey it requests a pin code at each time so I guess I would have to enter it during the lightdm login after the password. Or I can change the password to be the pincode to reuse it.

    Do you have an idea of how I can use fido2luks to do this ?

    opened by aacebedo 7
  • Need for more Documentation

    Need for more Documentation

    Hello, and thank you for working on and providing this software!

    I want to use a FIDO2 Stick for decrypting my LUKS device on ArchLinux, but I must admit that I have few knowledge about FIDO2 internals and how to do the setup. I would love to be pointed to some more documentation. I couldn't find much.

    Here is what I want to do: I currently have an encrypted LUKS partition (not the root partition) where /home resides in. Usually I decrypt it by entering the passphrase during boot. Now I want to store the FIDO2LUKS key into a second keyslot, such that I can decrypt /home during boot either by providing the password or by using the FIDO2 stick.

    What I have done so far:

    1. I installed fido2luks
    $ yay -S fido2luks
    1. I tested the connection with
    $ 
$ fido2luks connected
Found 1 devices
$
    1. Generated a new credential:
    $ 
$ fido2luks credential
15c9bec7284a5a09e0904006fea70dfe1daac52ec9dd94888c71a9f0d78310fd8c82d61d1df3520808fe832894664533262dae2262619c18ec0141da2be756214b5eaf010000
$
    1. Trying to add a keyslot to the LUKS header:
    $ 
$ sudo fido2luks add-key /dev/sda2 15c9bec7284a5a09e0904006fea70dfe1daac52ec9dd94888c71a9f0d78310fd8c82d61d1df3520808fe832894664533262dae2262619c18ec0141da2be756214b5eaf010000
Current password: 
^C
$

    In Step 4, I type in a password for an already existing keyslot of the LUKS device. After that nothing happend. Tapping the FIDO2 stick also does nothing. So I canceled the program with Ctrl+C. What is supposed to happen?

    opened by jaystrictor 7
  • Invalid message or item length

    Invalid message or item length

    Hi, I am trying to follow your README to install fido2luks, but I cannot succeed. Maybe you can help me out. What I did:

    Step 1: Install packages

    sudo dnf install clang cargo cryptsetup-devel -y

    No problem.

    Step 2: Clone repository and install using cargo

    git clone https://github.com/shimunn/fido2luks.git 
cd fido2luks
sudo -E cargo install -f --path . --root /usr

    No problem.

    Step 3: Create credential with --pin option

    fido2luks credential
#AuthenticatorError { cause: FidoError(
#
#This operating requires a PIN but none was provided.) }

fido2luks credential --pin
#Authenticator PIN: 
#AuthenticatorError { cause: FidoError(FidoError(
#
#Device returned error: CborError: 0x3: Invalid message or item length.)
#
#Error while decoding CBOR from device.) }

    Am I doing something wrong here?

    opened by wmutschl 5
  • Create package for Archlinux

    Create package for Archlinux

    @shimunn

    I would like to support for creating the archlinux package for fido2luks, so it will be available via pacman install. Please provide your input.

    opened by saravanan30erd 5
  • create PKGBUILD file for archlinux package

    create PKGBUILD file for archlinux package

    refer #16

    @shimunn created PKGBUILD file which used to build package for archlinux, so it can be installed via pacman. I tested it in local setup and it works fine.

    opened by saravanan30erd 4
  • yubikey 5 nano with firmware 5.4.3 not detected

    yubikey 5 nano with firmware 5.4.3 not detected

    I have several yubikeys. This is a brand new one fresh from Yubico that has the latest firmware 5.4.3. I have several with 5.2.4 which work just find with fido2luks. When i run sudo fido2luks connected with this key, nothing is found. I can see the device with lsusb and ykman. I HAVE set the initial pin for this as required for fido to function, however that doesnt seem to have any effect on the issue and other tokens with old firmware would for connected before the pin is set. I am continuing to debug, but it seems like the device does not meet the ctap device filter for some reason in get_devices, though i have not confirmed this. Below is the ykman --diagnose output. Please advise on how best to proceed.

    ykman: 4.0.5
Python: 3.8.5 (default, Jul 28 2020, 12:59:40) 
[GCC 9.3.0]
Platform: linux
Arch: aarch64
Running as admin: True

Detected PC/SC readers:
	Yubico YubiKey OTP+FIDO+CCID 00 00 (connect: Success)

Detected YubiKeys over PC/SC:
	ScardYubiKeyDevice(pid=0407, fingerprint='Yubico YubiKey OTP+FIDO+CCID 00 00')
	RawInfo: 260102033f0302033f020400c8c1de04010205030504030602000007010f0801000a01000f0100
	DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=13156830, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_NANO: 2>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False)
	Device name: YubiKey 5 Nano
	PIV
		PIV version: 5.4.3
		WARNING: Using default PIN!
		PIN tries remaining: 3/3
		WARNING: Using default Management key!
		Management key algorithm: TDES
		CHUID:	No data available.
		CCC: 	No data available.
	OATH
		Oath version: 5.4.3
		Password protected: False
	OpenPGP
		OpenPGP version: 3.4
		Application version: 5.4.3
		PIN tries remaining: 3
		Reset code tries remaining: 0
		Admin PIN tries remaining: 3
		Touch policies
		Signature key           Off
		Encryption key          Off
		Authentication key      Off
		Attestation key         Off


Detected YubiKeys over HID OTP:
	OtpYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw0')
	RawInfo: 260102033f0302033f020400c8c1de04010205030504030602000007010f0801000a01000f0100
	DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=13156830, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_NANO: 2>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False)
	Device name: YubiKey 5 Nano
	OTP: ConfigState(configured: (True, False), touch_triggered: (True, False), led_inverted: False)


Detected YubiKeys over HID FIDO:
	CtapYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw1')
CTAP device version: 5.4.3
CTAPHID protocol version: 2
Capabilities: 5
	RawInfo: 260102033f0302033f020400c8c1de04010205030504030602000007010f0801000a01000f0100
	DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=13156830, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_NANO: 2>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False)
	Device name: YubiKey 5 Nano
	Ctap2Info: {<VERSIONS: 0x01>: ['U2F_V2', 'FIDO_2_0', 'FIDO_2_1_PRE'], <EXTENSIONS: 0x02>: ['credProtect', 'hmac-secret'], <AAGUID: 0x03>: b'\xee\x88(yr\x1cI\x13\x97u=\xfc\xce\x97\x07*', <OPTIONS: 0x04>: {'rk': True, 'up': True, 'plat': False, 'clientPin': True, 'credentialMgmtPreview': True}, <MAX_MSG_SIZE: 0x05>: 1200, <PIN_UV_PROTOCOLS: 0x06>: [2, 1], <MAX_CREDS_IN_LIST: 0x07>: 8, <MAX_CRED_ID_LENGTH: 0x08>: 128, <TRANSPORTS: 0x09>: ['usb'], <ALGORITHMS: 0x0A>: [{'alg': -7, 'type': 'public-key'}, {'alg': -8, 'type': 'public-key'}], <MIN_PIN_LENGTH: 0x0D>: 4, <FIRMWARE_VERSION: 0x0E>: 328707}
PIN retries: (8, None)

End of diagnostics

    Note: i realize the architecture here may be unusual, but the other tokens work under these conditions. I have not censored any identifying info on this as i feel it is irrelevant to do so and would only make debugging harder.

    opened by geneerik 3
  • Theory of operation

    Theory of operation

    Documented how secrets are derived, addresses #19

    @gbdlin does that satisfy your needs or are there any other questions or more details required?

    rendered: https://github.com/shimunn/fido2luks/tree/operation#theory-of-operation

    opened by shimunn 3
  • no need to read password twice

    no need to read password twice

    With the current single implementation of read_password fido2luks ask for the password twice. This is not needed in every case, such as inputting the old secret, which we should just check and check for fail.

    opened by mmahut 3
  • fido2luks 0.2.20 fails to build with cryptsetup 2.5.0

    fido2luks 0.2.20 fails to build with cryptsetup 2.5.0

    Binding names in cryptsetup were changed in version 2.5.0, and that change breaks builds of libcryptsetup-rs with version lower than 0.5.1. https://github.com/NixOS/nixpkgs/issues/188524

    opened by ehllie 0
  • Cannot have multiple credentials per YubiKey

    Cannot have multiple credentials per YubiKey

    I'm not sure if I'm merely misunderstanding something or if this is a bug. If it is a bug, I'm not even sure if it's in fido2luks.

    As illustrated below, it appears that no matter what you name the credential, it seems to always clobber the previous credential.

    I did some research on whether this is actually expected behavior but as far as I can tell test1 and test2 (being a "username") should be unique credentials even if they're both sharing the Relying Party ID of fido2luks.

    I tried digging through the code, both fido2luks at tag 0.2.20 and ctap_hmac, and I couldn't identify a reason for the fact that these credentials are getting clobbered.

    Is this intentional? Is there a reason we can't have multiple fido2luks credentials per YubiKey (per FIDO2 device)?

    $ fido2luks credential -P 'test1'                                                                                         
Authenticator PIN: 
REDACTED

$ ykman fido credentials list    
Enter your PIN: 
fido2luks 00 test1

$ fido2luks credential -P 'test2'
Authenticator PIN: 
REDACTED

$ ykman fido credentials list    
Enter your PIN: 
fido2luks 00 test2

    Versions

    $ fido2luks --version            
fido2luks 0.2.20

$ ykman info
Device type: YubiKey 5 NFC
Serial number: REDACTED
Firmware version: 5.2.7
    opened by syphoxy 3
  • Bump thread_local from 1.0.1 to 1.1.4

    Bump thread_local from 1.0.1 to 1.1.4

    Bumps thread_local from 1.0.1 to 1.1.4.

    Commits
    • 4a54e57 Bump version to 1.1.4
    • ebf8b45 Merge pull request #34 from ibraheemdev/patch-1
    • 3d69afa Fix memory ordering in RawIter::next
    • c7d8dcd Bump version to 1.1.3
    • 5e8bbf2 Merge pull request #30 from Marwes/fix_drop
    • a44b836 fix: Drop the value in the ThreadLocal on drop
    • 322cf34 Bump version to 1.1.2
    • dca4007 Merge pull request #29 from Kestrer/raw-iter
    • 33ad405 Add #[inline] to non-generic functions
    • 810c043 Implement iterator logic in RawIter
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump crossbeam-deque from 0.7.3 to 0.7.4

    Bump crossbeam-deque from 0.7.3 to 0.7.4

    Bumps crossbeam-deque from 0.7.3 to 0.7.4.

    Changelog

    Sourced from crossbeam-deque's changelog.

    Version 0.8.1

    • Support targets that do not have atomic CAS on stable Rust (#698)

    Version 0.8.0

    • Bump the minimum supported Rust version to 1.36.
    • Bump crossbeam-channel to 0.5.
    • Bump crossbeam-deque to 0.8.
    • Bump crossbeam-epoch to 0.9.
    • Bump crossbeam-queue to 0.3.
    • Bump crossbeam-utils to 0.8.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • pin-source flag missing from cli arguments

    pin-source flag missing from cli arguments

    Hi. I am trying to use the -pin--source flag which was being used in a project a couple of years back. Now when I try to use the -pin--source flag with the latest version of fido2luks it gives me an error saying that --pin-source was not an expected argument or isn't valid. I was going through the source code and I could not find the -pin--source argument in the latest version.

    What are the latest changes regarding this or has it is been deprecated and I will not be able to use it anymore?

    Thanks

    opened by ehte92 0
  • added: pin-helper option

    added: pin-helper option

    Addresses #43

    @MkfsSion would you mind testing this, as I don't have an PIN protected key around atm.

    Usage should be as follows:

    fido2luks open /dev/nvme1n1p1 --pin --password-helper 'bash -c "echo 123456"' --pin-helper 'bash -c "echo 1234"' test
    opened by shimunn 2
Owner
null
GitHub
A simple self-contained CLI tool that makes it easy to efficiently encrypt/decrypt your files.

cryptic A simple self-contained CLI tool that makes it easy to efficiently encrypt/decrypt your files. Contents Features Building Usage License Featur

Arthur Ivanets 5 May 2, 2023
shavee is a Program to automatically decrypt and mount ZFS datasets using Yubikey HMAC as 2FA or any USB drive with support for PAM to auto mount home directories.

shavee is a simple program to decrypt and mount encrypted ZFS user home directories at login using Yubikey HMAC or a Simple USB drive as 2FA written in rust.

Ashutosh Verma 38 Dec 24, 2022
🐴 RusTOTPony — CLI manager of one-time password generators aka Google Authenticator

?? RusTOTPony CLI manager of time-based one-time password generators. It is a desktop alternative for Google Authenticator. Installation Arch Linux Pa

German Lashevich 23 Jan 5, 2023
Bitcoin Push Notification Service (BPNS) allows you to receive notifications of Bitcoin transactions of your non-custodial wallets on a provider of your choice, all while respecting your privacy

Bitcoin Push Notification Service (BPNS) Description Bitcoin Push Notification Service (BPNS) allows you to receive notifications of Bitcoin transacti

BPNS 1 May 2, 2022
EVM compatible chain with NPoS/PoC consensus

Reef Chain Reef chain is written in Rust. A basic familiarity with Rust tooling is required. To learn more about Reef chain, please refer to Documenta

Reef Finance 148 Dec 31, 2022
An Ethereum compatible Substrate blockchain for bounties and governance for the Devcash community.

Substrate Node Template A fresh FRAME-based Substrate node, ready for hacking ?? Getting Started Follow the steps below to get started with the Node T

null 4 Mar 30, 2022
Eternally liquid. Forward compatible. Nested, conditional, & Multi-resourced NFTs.

RMRK Substrate Rust Setup First, complete the basic Rust setup instructions. Run Use Rust's native cargo command to build and launch the template node

RMRK Team 67 Dec 25, 2022
Fiddi is a command line tool that does the boring and complex process of checking and processing/watching transactions on EVM compatible Blockchain.

Fiddi is a command line tool that does the boring and complex process of checking and processing/watching transactions on EVM compatible Blockchain.

Ahmad Abdullahi Adamu 7 Jan 9, 2023
Selendra is a multichains interoperable nominated Proof-of-Stake network for developing and running Substrate-based and EVM compatible blockchain applications.

Selendra An interoperable nominated Proof-of-Stake network for developing and running Substrate-based and EVM compatible blockchain applications. Read

Selendra 16 Nov 29, 2022
Minimalistic EVM-compatible chain indexer.

EVM Indexer Minimalistic EVM-compatible blockchain indexer written in rust. This repository contains a program to index helpful information from any E

Kike B 14 Dec 24, 2022
Minimalistic EVM-compatible chain indexer.

EVM Indexer Minimalistic EVM-compatible blockchain indexer written in rust. This repository contains a program to index helpful information from any E

LlamaFolio 11 Dec 15, 2022
Reference library that implements all the necessary functionality for developing a client that is compatible with TAPLE's DLT network.

⚠️ TAPLE is in early development and should not be used in production ⚠️ TAPLE Core TAPLE (pronounced T+ ?? ['tapəl]) stands for Tracking (Autonomous)

Open Canarias 6 Jan 25, 2023
Write Anchor-compatible Solana programs in TypeScript

Axolotl Write Achor-compatible Solana programs using TypeScript. Writing Rust is hard, but safe. It's also the go-to language for writing Solana progr

Anthony Morris 17 Nov 27, 2022
A framework for developing EVM-compatible chains

rt-evm A compact development framework for creating EVM-compatible runtimes/chains. Usage Check the example for details. Projects referenced trie, MPT

Rust Util Collections 4 Mar 15, 2023
Fast array expressions on the stack, no-std compatible

Strobe Fast, low-memory, elementwise array expressions on the stack. Compatible with no-std (and no-alloc) environments. This crate provides array exp

James Logan 3 Sep 23, 2023
Y-Octo is a high-performance CRDT implementation compatible with yjs

Y-Octo Y-Octo is a high-performance CRDT implementation compatible with yjs. Introduction Y-Octo is a tiny, ultra-fast CRDT collaboration library buil

null 79 Oct 5, 2023
Flexible Rust implementation of the MuSig2 multisignature protocol, compatible with Bitcoin.

MuSig2 This crate provides a flexible rust implementation of MuSig2, an optimized digital signature aggregation protocol, on the secp256k1 elliptic cu

null 4 Oct 31, 2023
A Boring(SSL)-compatible API abstraction for Rust cryptographic implementations.

A Boring(SSL)-compatible API abstraction for Rust cryptographic implementations. What is Superboring? Superboring hides the complexity, diversity and

Frank Denis 7 Dec 29, 2023
A high-performance, highly compatible EVM Inscriptions Indexer

Insdexer A high-performance, highly compatible EVM Inscriptions Indexer by Rust. An accessible and complete version of the documentation is available

null 105 Mar 17, 2024