| FIDOCRYPT(1) | General Commands Manual | FIDOCRYPT(1) |
fidocrypt —
fidocrypt |
[-Edqv] [-r
rpid] command
[args...] |
fidocrypt utility stores a short secret in a file
encrypted with U2F/FIDO security keys. The file is called a
cryptfile, and any U2F/FIDO security key enrolled in it with
fidocrypt enroll can be used with
fidocrypt get to decrypt the enclosed secret. The
secret may then be used for other purposes, such as a cgd(4)
disk encryption key.
WARNING: fidocrypt is a
work in progress. The file format is not yet stable.
-E-dFIDO_DEBUG environment variable.-v-q-r
rpidWARNING: You should set this to a DNS name that identifies the purpose of the cryptfile, distinctly from any other U2F/FIDO usage to avoid cross-domain attacks. Don't set the relying party id to the domain name of any web site that you log into with U2F/FIDO.
Instead of the -r option, you can set
the FIDOCRYPT_RPID environment variable; when
both are specified, the -r option takes
precedence.
enroll
-N username
-u userid
[-n nickname]
[-s secretfile]
cryptfile-’, the secret will be read
from stdin. It must be at most 65536 bytes long —
fidocrypt is not meant for storing long
secrets, only short secrets such as encryption keys.fidocrypt will generate a 32-byte string
uniformly at random and use that as the secret and create a new
cryptfile.You will then be prompted to tap a new U2F/FIDO security key, not currently enrolled in cryptfile, to enroll.
WARNING: If you specify
-s secretfile for a
cryptfile that already has a secret stored in it,
fidocrypt has no way to verify that it is the
same secret as is already stored, so you may end up
with a cryptfile that stores different secrets for different U2F/FIDO
security keys. You should use this only in an application that has
already gotten the stored secret with fidocrypt
get and still has it in memory, in order to reduce the amount of
device tapping.
The option -n
nickname lets you specify a nickname for later
display with fidocrypt list or use with
fidocrypt unenroll.
The -N username
and -u userid arguments
are mandatory, but fidocrypt assigns them no
particular meaning. U2F/FIDO devices with displays might show them on
the display. You may also set the environment variables
FIDOCRYPT_USERNAME and
FIDOCRYPT_USERID instead; when both the
environment variable and the command-line argument are specified, the
command-line argument takes precedence.
get
-F format
cryptfileThe -F option is mandatory —
that way, you won't inadvertently either screw up your terminal or feed
base64 data into a program that expects raw bytes.
list
cryptfilefidocrypt enroll.rename
[-i id]
[-n nickname]
cryptfile newnameunenroll
[-i id]
[-n nickname]
cryptfilefidocrypt get. The enrollment
may be specified by numeric id with -i as shown in
fidocrypt list output, or by the nickname with
-n that was passed to fidocrypt
enroll.fidocrypt get into passing
with it.N.B.: fidocrypt does not
defend against a compromised host while cryptfile is being decrypted, and
can't defend against any attacker who has access to the stored secret in the
host's memory once decrypted.
fidocrypt also doesn't defend against a
poorly designed U2F/FIDO device that exposes the public key in the
credential id. Fortunately, credential ids are almost always either
ciphertext themselves, encrypted with a secret key stored on the U2F/FIDO
device, or a random input to a pseudorandom function under a secret key
stored on the U2F/FIDO device.
FIDOCRYPT_RPID-r
option.FIDOCRYPT_USERIDfidocrypt enroll. Overridden by the
-u option.FIDOCRYPT_USERNAMEfidocrypt enroll. Overridden by the
-N option.% export FIDOCRYPT_RPID=fidocrypt.example.com % fidocrypt enroll -N Falken -u falken -n yubi5nano example.crypt tap key to enroll; waiting... % fidocrypt list example.crypt 1 yubi5nano % fidocrypt get example.crypt fidocrypt: specify an output format (-F) Usage: fidocrypt get -F <format> <cryptfile> % fidocrypt get -F base64 example.crypt tap key; waiting... yTpyXp1Hk3F48Wx3Mp7B2gNOChPyPW0VOH3C7l5AM9A= % fidocrypt enroll -N Falken -u falken -n redsolokey example.crypt tap a key that's already enrolled; waiting... tap key to enroll; waiting... % fidocrypt get -F base64 example.crypt tap key; waiting... yTpyXp1Hk3F48Wx3Mp7B2gNOChPyPW0VOH3C7l5AM9A= % fidocrypt rename -n redsolokey example.crypt blacksolokey % fidocrypt list example.crypt 2 blacksolokey 1 yubi5nano
Once you have created a cryptfile named
cgd.crypt with several U2F/FIDO security keys
enrolled, using
‘fidocrypt.example.com’ as the relying
party id, create a cgd(4) parameters file that combines a
password and the fidocrypt secret:
algorithm adiantum;
iv-method encblkno1;
keylength 256;
verify_method gpt;
keygen pkcs5_pbkdf2/sha1 {
iterations 458588;
salt AAAAgNXFkicvB33MhEfPLnXF2AI=;
};
keygen shell_cmd {
cmd "fidocrypt -r fidocrypt.example.com get -F raw cgd.crypt";
};
This way, the cgd(4) disk can be opened only with the password and at least one of the U2F/FIDO security keys (and the cgd(4) parameters file).
fidocrypt utility exits 0 on success,
and >0 if an error occurs.
Joseph Birr-Pixton, Abusing U2F to 'store' keys, https://jbp.io/2015/11/23/abusing-u2f-to-store-keys.html, 2015-11-23.
Rolf Lindemann, Vijay Bharadwaj, Alexei Czeskis, Michael B. Jones, Jeff Hodges, Akshay Kumar, Christiaan Brand, Johan Verrept, and Jakob Ehrensvärd, Client To Authenticator Protocol, https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html, FIDO Alliance, 2017-09-27.
Dirk Balfanz, Alexei Czeskis, Jeff Hodges, J.C. Jones, Michael B. Jones, Akshay Kumar, Angelo Liao, Rolf Lindemann, and Emil Lundberg, Web Authentication: An API for accessing Public Key Credentials Level 1, https://www.w3.org/TR/webauthn-1/, World Wide Web Consortium, 2019-03-04.
fidocrypt works only with ECDSA over NIST P-256. It
cannot be made to work with Ed25519. (Fortunately, essentially all U2F/FIDO
devices on the market support ECDSA over NIST P-256.)
fidocrypt limits cryptfiles to be 1048576
bytes long, including metadata, credential ids, and ciphertexts. Usually,
with a 32-byte secret, each U2F/FIDO security key requires under 200 bytes
of storage in the file. fidocrypt is not meant for
enrolling very large numbers of U2F/FIDO security keys — you are
expected to use a primary key and a handful of backups stored in safe
places.
Cryptfiles don't store nicknames for U2F/FIDO security keys, and
fidocrypt doesn't support unenrolling keys.
| December 24, 2020 | NetBSD 9.1_STABLE |