forked from cornelinux/yubikey-luks
-
Notifications
You must be signed in to change notification settings - Fork 2
/
fido2-luks-enroll.1
76 lines (70 loc) · 2.45 KB
/
fido2-luks-enroll.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
.\" Hey, EMACS: -*- nroff -*-
.\" (C) Copyright 2015-2023 Markus Frosch <lazyfrosch@debian.org>, Nyancient <foxolotl@protonmail.com>
.\"
.\" Cornelius Kölbel <cornelius@privacyidea>
.\" Add the prerequisites
.TH FIDO2-LUKS-ENROLL 1 "2023-04-10"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
.\" .nh disable hyphenation
.\" .hy enable hyphenation
.\" .ad l left justify
.\" .ad b justify to both left and right margins
.\" .nf disable filling
.\" .fi enable filling
.\" .br insert line break
.\" .sp <n> insert n+1 empty lines
.\" for manpage-specific macros, see man(7)
.SH NAME
fido2-luks-enroll - enroll your FIDO2 security token for use with LUKS
.SH SYNOPSIS
.B fido2-luks-enroll
.RI "[ \-d DEVICE ] [ \-c ]"
.SH DESCRIPTION
With this tool you can use a FIDO2 token with hmac-secret support to add a LUKS / cryptsetup key slot.
Currently, only a single FIDO2 token per encrypted device is supported. This program will refuse to
enroll a new token without first removing the old one, if one is already enrolled.
Your chosen PIN plus your FIDO2 token can generate a response that is
added as a key to the cryptsetup disk.
On the next boot you can insert your FIDO2 token into a USB slot and enter your
PIN to unlock the disk. Alternatively you can enter any other passphrase
that is valid for that disk.
Ths on-disk format of this program is 100% compatible with the FIDO2 functionality of systemd-cryptenroll,
ensuring a painless transition should Debian start to use it to unlock encrypted root disks.
.SH OPTIONS
The following options change the behavior of the tool.
.TP
.B \-h
Show summary of options.
.TP
.B \-c
Clear all FIDO2 LUKS slots before enrolling token.
.TP
.B \-n
Allow PIN-less authentication.
.TP
.B \-d
The disk device to work with (default: /dev/nvme0n1p3)
.SH BOOT SETUP
In order to decrypt your disk using your FIDO2 token at boot time, after enrolling your token
you also need to:
.IP \[bu]
Append
.B keyscript=/usr/share/fido2-luks/fido2-luks-keyscript
to the
.B OPTIONS
section of the
.B /etc/crypttab
entry corresponding to your encrypted root partition.
.IP \[bu]
Run
.B update-initramfs -u
to make the aforementioned changes take effect during boot.
.SH SEE ALSO
.BR cryptsetup (1),
.BR crypttab (5),
.BR fido2-luks-open (1),
.BR systemd-cryptenroll (1),
.BR systemd-cryptsetup (1),
.BR update-initramfs (1).