GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → mjec → khefin

mjec / khefin

Licence: GPL-3.0 license
A simple way to generate password-proteceted secrets from a FIDO2 authenticator with the hmac-secret extension

Programming Languages

c
50402 projects - #5 most used programming language
Makefile
30231 projects
shell
77523 projects
M4
1887 projects
Dockerfile
14818 projects

Labels

security-toolsfido2-authenticator

Projects that are alternatives of or similar to khefin

go-libfido2
libfido2 bindings for golang
Stars: ✭ 42 (-10.64%)
Mutual labels:  fido2-authenticator

khefin

A system for using a FIDO2 authenticator with hmac-secret extension support to generate passphrase-protected secrets.

Continuous integration status

Installation

For Arch Linux, install the khefin AUR package.

Install dependencies libfido2, libcbor and libsodium, then make all && sudo make install.

For more, see INSTALL.md.

At the moment I believe this tool is linux-only; issue reports or pull requests to improve portability are gratefully accepted.

Usage

The man page contains full usage information, but briefly:

khefin enumerate will give you a list of connected authenticator devices, with a leading ! for any device that is not supported.

khefin enrol -d /dev/hidraw0 -f /path/to/encrypted/keyfile will create (or overwrite!) /path/to/encrypted/keyfile with an encrypted keyfile, the output of which depends on the authenticator at /dev/hidraw0.

khefin generate -f /path/to/encrypted/keyfile will read that encrypted keyfile and output a secret based on it; but this will fail if the originally-used authenticator device is not connected (and the button pressed, if required). This will produce a 128 character ASCII (hex digits) string on STDOUT, followed by a single newline.

khefin-add-luks-key /path/to/encrypted/keyfile /dev/disk will add the result of your encrypted keyfile to a keyslot in the LUKS-encrypted /dev/disk. See the manual for this tool for more information. Backup your LUKS header and data before using this.

khefin-ssh-askpass is a drop-in replacement for the ssh-askpass binary. See the manual for this tool for more information.

Authenticator support

This application relies on an extension to the FIDO2 standard, which not all FIDO2 authenticators support. khefin enumerate will show a leading ! for any connected authenticator that is not supported.

For a list of authenticators known to work or not work with this software, see the GitHub wiki page.

Risks

The number one risk is that by playing around with encryption like this you will lose your data. Keep good, offline backups of your data. Test your backups regularly, to ensure files can be recovered without access to any of your usual hardware or software.

Each keyfile is associated with only one authenticator, and only one passphrase. To be secure, you are going to need at least two authenticators, which means two keyfiles. Make sure that whatever system you're using has support for that.

Backup your LUKS header and data before using this for disk encryption keys. Seriously.

Keep a backup of the keyfile created by this application as well. If you lose that file, it is impossible to recover the secret.

The security of this system depends on the security of your authenticator device, libsodium, libfido2, and the quality of your passphrase. It's also possible -- and indeed more likely than any of the former issues -- that there's a bug in the code for this application which compromises its security somehow. Pull requests and issues are very welcome.

Warrant canary (but not a warranty)

As at 17 January 2021, I (@mjec) have not received or complied with any government or non-government requests for information or services relating to this software, nor am I aware of any such requests.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].