Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Question] Is there a way to use FIDO2 AND have a passwd as fallback? #748

Open
aanno opened this issue May 20, 2023 · 1 comment
Open

Comments

@aanno
Copy link

aanno commented May 20, 2023

[Question] Is there a way to use FIDO2 AND have a passwd as fallback?

I'm aware that you could use the masterkey if you loose your token like this:

$ gocryptfs cipher plain -masterkey <key-here>
Using explicit master key.
THE MASTER KEY IS VISIBLE VIA "ps ax" AND MAY BE STORED IN YOUR SHELL HISTORY!
ONLY USE THIS MODE FOR EMERGENCIES

But:

  1. Is there a way to have an additional passwd?
  2. Is there a way to support 2 FIDO2 on the same crypted dir at the same time?
@SamBayerZXZ
Copy link

I am also interested in this. Hardware key developers insist on registering at least 2 keys in case of loss or failure of one. Yes, it is possible to access using the master key but but there is no way to change the hardware key to another one or change the key to a passphrase. Currently, if you lose your hardware key, you must create a new vault with a new hardware key and migrate data from the old vault to the new one. This is not a problem if the amount of data is small, otherwise it is not convenient. When trying to change the password of a fido2-encrypted storage, we get an error

gocryptfs -passwd -fido2 /dev/XXX /test/.crypt/

FIDO2 Secret: interact with your device ...
Decrypting master key
Password change is not supported on FIDO2-enabled filesystems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants