Ansgar <ans...@43-1.org> 于2023年12月31日周日 20:51写道: > > On Sun, 2023-12-31 at 18:49 +0800, YunQiang Su wrote: > > * Package name : cryptsetup-2fa > > Version : 0.1 > > Upstream Contact: YunQiang Su <s...@debian.org> > > * URL : https://github.com/wzssyqa/cryptsetup-2fa/ > > * License : BSD-2 > > Programming Lang: SHELL > > Description : 2FA plugin for cryptsetup > > > > 2 mthods are supported for 2 FA: > > - Yubikey Challenge > > - TPM2 Keypair > > PIN-less is also supported, if the PINs are present in > > /etc/cryptsetup/2fa.conf. > > > > Since I am not expert of security and encrypt: > > CODE Review is requested here, too. > > Is there any reason to not just use systemd-cryptenroll?
Yes. I tried to use systemd-cryptenroll, while it cannot work with cryptsetup-suspend. I need a way to suspend or hibernate without disks decrypted. > It seems to be a more featureful implementation and also doesn't > require storing PINs in plain text in configuration files like My script doesn't *require* storing PIN. You can just leave the config blank, it will prompt for PIN. > /etc/cryptsetup/2fa/2fa.conf as README instructs users to do here. > Nor does it store plain text credentials in /var/cache. > This is used, if a user has multi disks/partitions, and all of them have same PIN, to ask for PIN only one time. The passphrase is stored in /var/cache, and switch_root will clean all of them, so I guess it won't leak. > Ansgar > > PS: I also don't understand why cryptsetup-2fa-enroll(1) references > privacyIDEA. Thanks. Removed.