diff options
| author | Kamil Szczęk <kamil@szczek.dev> | 2024-06-07 13:22:49 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-06-20 14:26:24 +0200 |
| commit | e262205eb728de09ec1e669d239275d605f200b4 (patch) | |
| tree | 2280bbd018bf2d909d78e07b3f29fa7473b3bee6 /shell-completion | |
| parent | Merge pull request #33407 from poettering/varlink-idl-comment-fix (diff) | |
| download | systemd-e262205eb728de09ec1e669d239275d605f200b4.tar.xz systemd-e262205eb728de09ec1e669d239275d605f200b4.zip | |
cryptenroll: support for enrolling FIDO2 tokens in manual mode
systemd-cryptsetup supports a FIDO2 mode with manual parameters, where
the user provides all the information necessary for recreating the
secret, such as: credential ID, relaying party ID and the salt. This
feature works great for implementing 2FA schemes, where the salt file
is for example a secret unsealed from the TPM or some other source.
While the unlocking part is quite straightforward to set up, enrolling
such a keyslot - not so easy. There is no clearly documented
way on how to set this up and online resources are scarce on this topic
too. By implementing a straightforward way to enroll such a keyslot
directly from systemd-cryptenroll we streamline the enrollment process
and reduce chances for user error when doing such things manually.
Diffstat (limited to 'shell-completion')
| -rw-r--r-- | shell-completion/bash/systemd-cryptenroll | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/shell-completion/bash/systemd-cryptenroll b/shell-completion/bash/systemd-cryptenroll index 6b13e58789..7a11a3f3dc 100644 --- a/shell-completion/bash/systemd-cryptenroll +++ b/shell-completion/bash/systemd-cryptenroll @@ -57,6 +57,8 @@ _systemd_cryptenroll() { --pkcs11-token-uri --fido2-credential-algorithm --fido2-device + --fido2-salt-file + --fido2-parameters-in-header --fido2-with-client-pin --fido2-with-user-presence --fido2-with-user-verification @@ -76,7 +78,7 @@ _systemd_cryptenroll() { if __contains_word "$prev" ${OPTS[ARG]}; then case $prev in - --unlock-key-file|--tpm2-device-key|--tpm2-public-key|--tpm2-signature|--tpm2-pcrlock) + --unlock-key-file|--fido2-salt-file|--tpm2-device-key|--tpm2-public-key|--tpm2-signature|--tpm2-pcrlock) comps=$(compgen -A file -- "$cur") compopt -o filenames ;; @@ -95,7 +97,7 @@ _systemd_cryptenroll() { --fido2-device) comps="auto list $(__get_fido2_devices)" ;; - --fido2-with-client-pin|--fido2-with-user-presence|--fido2-with-user-verification|--tpm2-with-pin) + --fido2-parameters-in-header|--fido2-with-client-pin|--fido2-with-user-presence|--fido2-with-user-verification|--tpm2-with-pin) comps='yes no' ;; --tpm2-device) |