Support for Debian / Ubuntu

Question

Support for Debian / Ubuntu

dido opened this issue 5 years ago · comments

Is your feature request related to a problem? Please describe.
From what I can see this only seems to support Arch Linux. Switching distributions is basically a non-starter for many people and Debian / Ubuntu and derived distributions are among the most widely used in the world.

Describe the solution you'd like
Support for Debian / Ubuntu of course.

Describe alternatives you've considered
There seems to be support under Debian / Ubuntu for decryption of LUKS volumes with certain types of (substantially more expensive) Yubikeys which support other protocols besides plain old FIDO2. I don't have any of those but only plain old FIDO2 keys.

Additional context
I'm trying to study the code myself and see if I can try to add this type of functionality myself but wonder if any efforts are already being made in this direction.

Emjek Cordover · Answer 1 · Sun Mar 15 2020 23:02:08 GMT+0800 (China Standard Time)

Hi @dido, thanks for your interest in this project!

The fido2-hmac-secret binary itself should compile and run ok on Debian and Ubuntu, but isn't currently packaged for it.

For Ubuntu 19.10, you should be able to compile it by running these commands.

sudo apt-add-repository ppa:yubico/stable
sudo apt-get update && sudo apt-get install build-essential m4 libfido2-dev libssl-dev libcbor-dev libsodium-dev
CC=gcc make -j release bash-completion && sudo make install

Unfortunately there's a bug in libcbor-dev on Ubuntu 18.04; if you're on that version you'll need to also run the following before the CC=gcc make ... line:

sudo curl -o /usr/lib/x86_64-linux-gnu/pkgconfig/libcbor.pc https://gist.githubusercontent.com/mjec/ecc2f4421a6d3f2d798bedc23c5665b7/raw/ac817fd599285e9e1a483f72b1801ebb750213a6/libcbor.pc

Of course, this still won't get you to handle LUKS decryption without further configuration. For that I think we'd need to create a mkinitramfs module, similar to the initcpio files already in the repository. Is this something you'd be interested in putting together? I'd gladly merge a pull request with this, otherwise I'll try to take a look at it in the next few weeks.

Maryse47 · Answer 2 · Mon Mar 16 2020 00:42:57 GMT+0800 (China Standard Time)

Debian/Ubuntu support keyscript= variable in crypttab which should simplify needed initcpio module.

Rafael Sevilla · Answer 3 · Mon Mar 16 2020 11:17:26 GMT+0800 (China Standard Time)

Yes, I have been able to compile it under Ubuntu and have been testing it with various LUKS volumes I have. Been trying to figure out how to use it more generally on the command line to decrypt file and external drive volumes as well, though it seems to be geared more towards boot volumes for now.

I'll see what I can do about working on getting Debian support in myself but I don't know how much work I'll be able to do.

Emjek Cordover · Answer 4 · Wed Apr 29 2020 06:40:01 GMT+0800 (China Standard Time)

I did a bit more investigation of this and intend to follow the decrypt_gnupg path. Documenting my findings here for when I get more time to implement

have a script installed as /lib/cryptsetup/scripts/decrypt_f2hs
- outputs key material on stdout
- messages on stderr
- returns exit code 1 on failure, 0 on success
- takes keyfile path as an argument
- uses /lib/cryptsetup/askpass to prompt for passphrase (?)
have a script installed as /usr/share/initramfs-tools/hooks/cryptf2hs
- pay attention to hook script requirements
- use copy_exec to copy over f2hs binary
- also need to copy over keyfile
- cryptgnupg is a good example to follow