GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → darkskiez → u2f-luks

darkskiez / u2f-luks

Licence: Apache-2.0 license
No description or website provided.

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects
Makefile
30231 projects

Labels

debianu2fluksencryption-toolu2f-key

Projects that are alternatives of or similar to u2f-luks

scripts
Collection of useful scripts for Linux (git, docker, LUKS, Archlinux...)
Stars: ✭ 36 (+24.14%)
Mutual labels:  debian, luks
open-securekos
Open Secure-K OS is an operating system booting from a USB key in which you can safely create and store your personal and private data. It is a next generation live operating system following liveng patterns. Please refer to Resilient Linux, a fork of Open Secure-K OS which is actively developed.
Stars: ✭ 23 (-20.69%)
Mutual labels:  debian, luks
Pi-Trader
A cryptocurrency day-trading bot for Raspberry Pi.
Stars: ✭ 44 (+51.72%)
Mutual labels:  debian
gtasa-savegame-editor
GUI tool to edit GTA San Andreas savegames.
Stars: ✭ 56 (+93.1%)
Mutual labels:  debian
debiman
debiman generates a static manpage HTML repository out of a Debian archive
Stars: ✭ 145 (+400%)
Mutual labels:  debian
urbit-docker
No description or website provided.
Stars: ✭ 16 (-44.83%)
Mutual labels:  debian
Invidious-Updater
Automatic install and update script for Invidious
Stars: ✭ 181 (+524.14%)
Mutual labels:  debian
Mis-Comandos-Linux
📋 Lista descrita de mis 💯 comandos favoritos ⭐ en GNU/Linux 💻
Stars: ✭ 28 (-3.45%)
Mutual labels:  debian
huawei-wmi
Sets group write privileges and reinstates battery charge-thresholds.
Stars: ✭ 30 (+3.45%)
Mutual labels:  debian
kali-my-linux
Install Kali Linux Tools & Others on your Linux.
Stars: ✭ 37 (+27.59%)
Mutual labels:  debian
nclcomposer
A flexible authoring tool for interactive multimedia applications
Stars: ✭ 18 (-37.93%)
Mutual labels:  debian
ansible-roles
My Ansible roles for Debian/Ubuntu
Stars: ✭ 57 (+96.55%)
Mutual labels:  debian
mailserver
Simple and full-featured mail server using Docker
Stars: ✭ 88 (+203.45%)
Mutual labels:  debian
wsl-debian-boxes
Scripts to create multiple personalized WSL machines fast.
Stars: ✭ 22 (-24.14%)
Mutual labels:  debian
WeDefend
⛔🛡️ WeDefend - Monitor and Protect Windows from Remote Access Trojan
Stars: ✭ 23 (-20.69%)
Mutual labels:  encryption-tool
idfx
Tool for flash/monitor ESP-IDF and ESP8266_SDK apps on the WSL2 ⚡
Stars: ✭ 71 (+144.83%)
Mutual labels:  debian
ansible-role-backup
Ansible Role - Backup for simple servers
Stars: ✭ 122 (+320.69%)
Mutual labels:  debian
scarecrow
A Raspberry Pi powered, distributed (edge) computing camera setups that runs a Tensorflow object detection model to determine whether a person is on the camera. A plugin model allows actions based on the detection, such as playing audio, turning on lights, or triggering an Arduino.
Stars: ✭ 87 (+200%)
Mutual labels:  debian
ansible-nodejs
Ansible role to set up the latest version of Node.js and npm in Debian-like systems
Stars: ✭ 14 (-51.72%)
Mutual labels:  debian
mirrorcast
Open Source Alternative to Chromecast, Mirror Desktop and Play media remotely.
Stars: ✭ 37 (+27.59%)
Mutual labels:  debian
View All Similar Projects ➔

U2F LUKS Support - Use U2F USB tokens to unlock encrypted disks.

Disclaimer: This is potentially a very silly / dangerous tool to use

NEW: Now a cryptsetup external token provider using official API

OLD

Prerequisites

  • A Debian variant system
  • An already configured LUKS encrypted disk
  • A willingness to use non-audited code for your security or convenience.
  • One or more U2F Tokens (with USB HID Support)
  • A filesystem that can be mounted in an initramfs

This does NOT yet support systemd because systemd does not support keyscripts, The workaround is that the initramfs parameter forces your disk to be mounted in the initramfs, before systemd has started.

How does this work?

This uses some trickery in order to synthesis a static key from a U2F token because:

  • U2F keys are almost stateless holding only a counter
  • U2F keys can only sign requests with ecdsa
  • U2F signatures are only over partially supplied data include the counters

This tool uses the public key obtained during the register request as the LUKS privatekey, and derives the public key back from the authenticate requests using eliptic curve key recovery (http://github.com/darkskiez/eckr) on the signatures.

This tool encrypts the keyhandle optionally with the userpassphrase, and stores it in the u2f-luks.keys file. Only the correct keyhandle, passphrase and U2F token will yeild the correct key. We store a hash based on the correct key in the keyfile because the key recovery algorithm returns two candidate keys.

Most U2F tokens will blink if the correct matching password is entered.

Download and Build

go get -u github.com/darkskiez/u2f-luks

Install

sudo cp $GOPATH/bin/u2f-luks /usr/local/bin
sudo cp $GOPATH/src/github.com/darkskiez/u2f-luks/initramfs-hooks/u2fkey /etc/initramfs-tools/hooks/

Enroll a token

  1. Generate a new key
KEY=$(mktemp)
sudo u2f-luks -v -enroll -keyfile /etc/u2f-luks.keys >$KEY
sudo cryptsetup luksAddKey /dev/sdxx $KEY
rm $KEY
  1. Add initramfs and keyscript setting, eg:
$EDITOR /etc/crypttab
# OLD
sdax_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks
# NEW
sdax_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks,initramfs,keyscript=/usr/local/bin/u2f-luks
  1. Update initramfs
sudo update-initramfs -u
  1. Reboot and hope for the best

When prompted for your password enter the 2FA password and tap the token. If you did not supply a password during enroll, you can just tap the token.

If this fails to unlock your disk, enter your previous disk encryption passphrase and press enter when prompted to touch your token.

  1. Revoke your existing passphrase

This optional step is left as an excercise for the enthusiastic.

Revoke a token

KEY=$(mktemp)
sudo u2f-luks -v -keyfile /etc/u2f-luks.keys >$KEY
sudo cryptsetup luksRemoveKey /dev/sdxx $KEY
rm $KEY

Revoke a lost token

# Check which slots are used, 0 is often the original passphrase and 1..7 the additional keys
sudo cryptsetup luksDump /dev/sdxx
# Kill the slot for the lost token, this checks you still have a valid passphrase after
sudo cryptsetup luksKillSlot /dev/sdxx [0-7]

Uninstall

  1. Ensure you have a functioning passphrase that works without a U2F token
sudo cryptsetup luksOpen --test-passphrase /dev/sdxx
  1. Restore your crypttab file

Remove the initramfs and keyscript args you added during installation

  1. Update the initramfs again.
sudo update-initramfs -u
  1. Follow The Revoke a Token intructions
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].