rfjakob
Enable usage of multiple fido2 devices by supporting password change …
…with explicit master key
I've created this pull request to support a couple of use cases that came into my mind.
Use cases
Use multiple FIDO2 keys
I habe 2 FIDO devices. One is connected to my desktop, the other one is typically in my pocket so I can use it when I'm out. Typically in combination with my laptop. I'd like to be able to access my gocryptfs filesystem using either of the keys
"Add" a FIDO2 key to an existing filesystem
You have an ordinary gocryptfs filesystem using passwords. Now you buy a FIDO2 device and would like to use it on the existing filesystem
Howto
- You have an existing encrypted filesystem: "encrypted"
- You know the master key: "3eca91ba-52c4391d-5d7ce783-b07e40f2-a3808dfd-a08c7ee5-a9577f97-cc6085d3"
- Create a dummy config for your additional/new FIDO2 device:
mkdir encrypted2 gocryptfs --init --fido2 /dev/hidraw2 --config encrypted/gocryptfs-fido2.conf encrypted2 # enter pin and/or press device rm -rf encrypted2 - "Connect" the FIDO2 device with the master key: (this fails with the original gocryptfs)
gocryptfs --passwd --masterkey 3eca91ba-52c4391d-5d7ce783-b07e40f2-a3808dfd-a08c7ee5-a9577f97-cc6085d3 \ --fido2 /dev/hidraw2 \ --config encrypted/gocryptfs-fido2.conf \ encrypted # enter pin and/or press device - Use the FIDO2 device:
mkdir decrypted gocryptfs --fido2 /dev/hidraw2 --config encrypted/gocryptfs-fido2.conf encrypted decrypted
Closing Notes
I'm not a go developer. I'm more a typing monkey when it comes to this language. Feel free to improve!
For those speaking German, there is an article with more details here
can you add the 2nd (and more) FIDO2 devices to the config, or does it require another config for each?
Hi, thanks for the PR, nice idea!
Create a dummy config for your additional/new FIDO2 device
Can't this simply be a copy of gocryptfs.conf ?
Can't this simply be a copy of gocryptfs.conf ?
Disregard that, it cannot. Because we need to keep the information from "-init -fido2 ADDITIONALDEVICE".