{"id":49365574,"url":"https://github.com/darkskiez/u2f-luks","last_synced_at":"2026-04-27T19:01:33.359Z","repository":{"id":57541457,"uuid":"81447987","full_name":"darkskiez/u2f-luks","owner":"darkskiez","description":null,"archived":false,"fork":false,"pushed_at":"2022-02-03T17:00:00.000Z","size":61,"stargazers_count":32,"open_issues_count":0,"forks_count":1,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-06-20T03:32:25.412Z","etag":null,"topics":["debian","encryption-tool","luks","u2f","u2f-key"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/darkskiez.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-02-09T12:28:17.000Z","updated_at":"2023-12-17T23:23:34.000Z","dependencies_parsed_at":"2022-09-26T18:30:48.498Z","dependency_job_id":null,"html_url":"https://github.com/darkskiez/u2f-luks","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/darkskiez/u2f-luks","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkskiez%2Fu2f-luks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkskiez%2Fu2f-luks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkskiez%2Fu2f-luks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkskiez%2Fu2f-luks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/darkskiez","download_url":"https://codeload.github.com/darkskiez/u2f-luks/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkskiez%2Fu2f-luks/sbom","scorecard":{"id":322896,"data":{"date":"2025-08-11","repo":{"name":"github.com/darkskiez/u2f-luks","commit":"c357ee9d8a93ec23662e0414cfa3cc7e9a0911cf"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.3,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":4,"reason":"6 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0968 / GHSA-gwc9-m7rh-j2ww","Warn: Project is vulnerable to: GO-2021-0356 / GHSA-8c26-wmh5-6g9v","Warn: Project is vulnerable to: GO-2024-2961","Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T01:48:18.934Z","repository_id":57541457,"created_at":"2025-08-18T01:48:18.934Z","updated_at":"2025-08-18T01:48:18.934Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32350243,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-27T17:12:42.749Z","status":"ssl_error","status_checked_at":"2026-04-27T17:12:41.658Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debian","encryption-tool","luks","u2f","u2f-key"],"created_at":"2026-04-27T19:01:32.236Z","updated_at":"2026-04-27T19:01:33.354Z","avatar_url":"https://github.com/darkskiez.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# U2F LUKS Support - Use U2F USB tokens to unlock encrypted disks.\n\n**Disclaimer: This is potentially a very silly / dangerous tool to use**\n\n## NEW: Now a cryptsetup external token provider using official API\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n## OLD\n\n## Prerequisites\n\n* A Debian variant system\n* An already configured LUKS encrypted disk\n* A willingness to use non-audited code for your security or convenience.\n* One or more U2F Tokens (with USB HID Support)\n* A filesystem that can be mounted in an initramfs\n\nThis does NOT yet support systemd because systemd does not support keyscripts,\nThe workaround is that the initramfs parameter forces your disk to be mounted\nin the initramfs, before systemd has started.\n\n## How does this work?\n\nThis uses some trickery in order to synthesis a static key from a U2F token\nbecause:\n\n* U2F keys are almost stateless holding only a counter\n* U2F keys can only sign requests with ecdsa\n* U2F signatures are only over partially supplied data include the counters\n\nThis tool uses the public key obtained during the register request as the LUKS\nprivatekey, and derives the public key back from the authenticate requests\nusing eliptic curve key recovery (http://github.com/darkskiez/eckr) on the\nsignatures.\n\nThis tool encrypts the keyhandle optionally with the userpassphrase, and stores\nit in the u2f-luks.keys file. Only the correct keyhandle, passphrase and U2F\ntoken will yeild the correct key. We store a hash based on the correct key\nin the keyfile because the key recovery algorithm returns two candidate keys.\n\nMost U2F tokens will blink if the correct matching password is entered.\n\n## Download and Build\n\n`go get -u github.com/darkskiez/u2f-luks`\n\n## Install\n\n```shell\nsudo cp $GOPATH/bin/u2f-luks /usr/local/bin\nsudo cp $GOPATH/src/github.com/darkskiez/u2f-luks/initramfs-hooks/u2fkey /etc/initramfs-tools/hooks/\n```\n\n## Enroll a token\n\n1. Generate a new key\n```shell\nKEY=$(mktemp)\nsudo u2f-luks -v -enroll -keyfile /etc/u2f-luks.keys \u003e$KEY\nsudo cryptsetup luksAddKey /dev/sdxx $KEY\nrm $KEY\n```\n\n2. Add initramfs and keyscript setting, eg:\n```shell\n$EDITOR /etc/crypttab\n# OLD\nsdax_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks\n# NEW\nsdax_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks,initramfs,keyscript=/usr/local/bin/u2f-luks\n```\n\n3. Update initramfs\n```shell\nsudo update-initramfs -u\n```\n\n4. Reboot and hope for the best\n\nWhen prompted for your password enter the 2FA password and tap the token. If you did not\nsupply a password during enroll, you can just tap the token.\n\nIf this fails to unlock your disk, enter your previous disk encryption passphrase and\npress enter when prompted to touch your token.\n\n5. Revoke your existing passphrase\n\nThis optional step is left as an excercise for the enthusiastic.\n\n\n## Revoke a token\n\n```shell\nKEY=$(mktemp)\nsudo u2f-luks -v -keyfile /etc/u2f-luks.keys \u003e$KEY\nsudo cryptsetup luksRemoveKey /dev/sdxx $KEY\nrm $KEY\n```\n\n## Revoke a lost token\n\n```shell\n# Check which slots are used, 0 is often the original passphrase and 1..7 the additional keys\nsudo cryptsetup luksDump /dev/sdxx\n# Kill the slot for the lost token, this checks you still have a valid passphrase after\nsudo cryptsetup luksKillSlot /dev/sdxx [0-7]\n```\n\n## Uninstall\n\n1. Ensure you have a functioning passphrase that works without a U2F token\n```shell\nsudo cryptsetup luksOpen --test-passphrase /dev/sdxx\n```\n\n2. Restore your crypttab file\n\nRemove the initramfs and keyscript args you added during installation\n\n3. Update the initramfs again.\n```shell\nsudo update-initramfs -u\n```\n\n4. Follow The [Revoke a Token](#revoke-a-token) intructions\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarkskiez%2Fu2f-luks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdarkskiez%2Fu2f-luks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarkskiez%2Fu2f-luks/lists"}