yubikey-luks icon indicating copy to clipboard operation
yubikey-luks copied to clipboard

Published 20 hours ago verified publisher icon cornelinux

Test for valid LUKS device

Open metalsp0rk opened this issue 3 years ago • 3 comments

As is, the luks enroll and luks-open script ask for passwords before determining if the device is even valid. cryptsetup provides a method for testing if a partition is valid LUKS. This patch adds that functionality to the yubikey-luks-open and yubikey-luks-enroll scripts.

metalsp0rk avatar Nov 29 '21 22:11 metalsp0rk

Among other things which can be checked are: existence of luks device, valid yubikey slot, etc.

Vincent43 avatar Nov 30 '21 16:11 Vincent43

As is, this patch will return 1 for an existing device with no luks header and 4 on a non-existing device. I suppose I could flesh out the check to differentiate between those checks.

Regarding yubikey slot, are you talking about a simple bounds check? My understanding is that checking yubikey configuration can only say if the slot is configured or not.

I'm happy to flesh this PR out as much as possible.

One other thing I've considered adding to this patch is an exit on invalid option. (around line 43 of yubikey-luks-enroll) As of right now, when an invalid flag is passed, the command continues to run as if everything was normal. I'm not confident that's a safe behavior, especially considering the enroll script has the ability to kill a LUKS slot.

metalsp0rk avatar Nov 30 '21 17:11 metalsp0rk

You may take a look how I handled various errors here.

Vincent43 avatar Nov 30 '21 19:11 Vincent43