Test for valid LUKS device #75
Conversation
|
Among other things which can be checked are: existence of luks device, valid yubikey slot, etc. |
|
As is, this patch will return 1 for an existing device with no luks header and 4 on a non-existing device. I suppose I could flesh out the check to differentiate between those checks. Regarding yubikey slot, are you talking about a simple bounds check? My understanding is that checking yubikey configuration can only say if the slot is configured or not. I'm happy to flesh this PR out as much as possible. One other thing I've considered adding to this patch is an exit on invalid option. (around line 43 of yubikey-luks-enroll) As of right now, when an invalid flag is passed, the command continues to run as if everything was normal. I'm not confident that's a safe behavior, especially considering the enroll script has the ability to kill a LUKS slot. |
|
You may take a look how I handled various errors here. |
As is, the luks enroll and luks-open script ask for passwords before determining if the device is even valid. cryptsetup provides a method for testing if a partition is valid LUKS. This patch adds that functionality to the yubikey-luks-open and yubikey-luks-enroll scripts.