{"id":48059646,"url":"https://github.com/tmo1/fidovault","last_synced_at":"2026-04-04T14:31:18.198Z","repository":{"id":272826423,"uuid":"917872321","full_name":"tmo1/fidovault","owner":"tmo1","description":"FidoVault: A tool to control access to secrets via symmetric encryption and decryption using hardware FIDO2 keys.","archived":false,"fork":false,"pushed_at":"2026-01-13T19:16:55.000Z","size":65,"stargazers_count":33,"open_issues_count":2,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2026-02-17T19:26:56.573Z","etag":null,"topics":["cryptography","fido2","hmac-secret","secrets"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tmo1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-01-16T19:59:31.000Z","updated_at":"2026-02-08T00:46:32.000Z","dependencies_parsed_at":"2025-01-16T21:29:13.629Z","dependency_job_id":"ede8811e-7153-4b1e-b88d-e1baf24b3ff9","html_url":"https://github.com/tmo1/fidovault","commit_stats":null,"previous_names":["tmo1/fidovault"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/tmo1/fidovault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tmo1%2Ffidovault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tmo1%2Ffidovault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tmo1%2Ffidovault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tmo1%2Ffidovault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tmo1","download_url":"https://codeload.github.com/tmo1/fidovault/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tmo1%2Ffidovault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31402658,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","fido2","hmac-secret","secrets"],"created_at":"2026-04-04T14:31:16.904Z","updated_at":"2026-04-04T14:31:18.119Z","avatar_url":"https://github.com/tmo1.png","language":"Python","funding_links":["https://ko-fi.com/thomasmore"],"categories":[],"sub_categories":[],"readme":"# FidoVault\n\n![GitHub Release](https://img.shields.io/github/v/release/tmo1/fidovault)\n![GitHub Release Date - Published_At](https://img.shields.io/github/release-date/tmo1/fidovault)\n![PyPI Version](https://img.shields.io/pypi/v/fidovault?label=PyPI%20version)\n![PyPI Downloads](https://img.shields.io/pypi/dm/fidovault?label=PyPI%20downloads)\n\u003c!--![GitHub Downloads (all assets, all releases)](https://img.shields.io/github/downloads/tmo1/fidovault/total) (consider including when the total is non-zero ;)--\u003e\n\n![GitHub issues](https://img.shields.io/github/issues/tmo1/fidovault)\n![GitHub closed issues](https://img.shields.io/github/issues-closed/tmo1/fidovault)\n![GitHub commit activity](https://img.shields.io/github/commit-activity/m/tmo1/fidovault)\n\nFidoVault is a tool to control access to secrets via symmetric encryption and decryption using [FIDO2](https://en.wikipedia.org/wiki/FIDO_Alliance#FIDO2) authenticators. A FidoVault vault file contains a secret encrypted via one or more FIDO2 authenticators, such that the secret is inaccessible without at least one of the authenticators, but any single authenticator can decrypt the secret. A password can optionally be required for decryption in addition to an authenticator.\n\n\u003e [!CAUTION]\n\u003e Most FIDO2 authenticators cannot be \"backed up\" or duplicated. If all the authenticators of a particular FidoVault are lost (or [\"reset\"](https://support.yubico.com/hc/en-us/articles/360016648899-Resetting-the-FIDO2-Application-on-Your-YubiKey-or-Security-Key)), then that FidoVault will become permanently inaccessible.\n\u003e\n\u003e Additionally, [when FIDO2 authenticators make a credential, they generate two random values, `credRandomWithUV` and `credRandomWithoutUV`, and associate them with the credential](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#sctn-hmac-secret-extension). In the context of an assertion, the former is used when [\"user verification\"](https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/User_Presence_vs_User_Verification.html) (most commonly via the entry of a PIN) is performed and the latter when it is not. Consequently, secrets encrypted by an authenticator when user verification is not performed will not be able to be decrypted by the same authenticator when user verification is performed (and vice versa). For more detailed discussion of this issue and its implications, see [here](https://github.com/keepassxreboot/keepassxc/discussions/9506#discussioncomment-11864543).\n\n## Hardware\n\nAny standard [USB](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#usb) authenticator that supports the [HMAC Secret Extension](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension) (which [reportedly most do](https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html)) should work with FidoVault. [NFC](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#nfc) and [Bluetooth](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#nfc) authenticators have not been tested, and PC/SC authenticators are not currently supported. Development and testing have primarily been done using a [Yubico Security Key](https://www.yubico.com/products/security-key/).\n\n## Dependencies and Installation\n\nFidoVault is written in Python 3, and has the following dependencies:\n\n * [`cryptography`](https://github.com/pyca/cryptography) (Debian package `python3-cryptography`) (for symmetric encryption and decryption of secrets)\n * [`[python-]fido2`](https://github.com/Yubico/python-fido2)\u003e=2.0.0 (Debian package `python3-fido2`) (for accessing FIDO2 authenticators)\n \n\u003e [!NOTE]\n\u003e FidoVault has been updated to work with version 2.0 of `[python-]fido2`, and the current code will not work with earlier versions.\n\nFidoVault should work on any platform on which Python 3 and the above dependencies can be installed, although running under Windows may require administrator privileges, since [Windows apparently requires](https://support.yubico.com/hc/en-us/articles/360016648939-Troubleshooting-Failed-connecting-to-the-YubiKey-Make-sure-the-application-has-the-required-permissions-in-YubiKey-Manager) [administrator privileges](https://docs.yubico.com/yesdk/yubikey-api/Yubico.YubiKey.YubiKeyDevice.FindByTransport.html) [for certain FIDO APIs](https://github.com/keepassxreboot/keepassxc/issues/11400).\n\nAt least on Linux, if FidoVault's dependencies are installed and available (e.g., on Debian via `apt install python3-fido2`, which will pull in `python3-cryptography` as well), then the script can be run directly without installation as `path/to/fidovault.py`. It can also be installed [from PyPI](https://test.pypi.org/project/fidovault/) via pip / pipx, in which case it can be run simply as `fidovault`.\n\n## Usage\n\nDisplay usage instructions:\n\n```\n$ fidovault.py -h\nusage: fidovault.py [-h] [-v VAULT] [-k KEY] [-g N] [-i | -a]\n\nCreate and manage FidoVaults - control access to secrets via symmetric encryption and decryption using FIDO2 authenticators.\n\noptions:\n  -h, --help         show this help message and exit\n  -v, --vault VAULT  FidoVault location\n  -k, --key KEY      use (only) this key section of the FidoVault\n  -g, --generate N   generate FidoVault secret utilizing at least N cryptographically random bits (only used if initializing a FidoVault, otherwise ignored)\n  -i, --init         initialize a FidoVault\n  -a, --add          add a key section to a FidoVault\n\nIf neither '--init' nor '--add' are specified, the program will attempt to output the FidoVault's secret to STDOUT.\n```\n\nInitialize a FidoVault:\n\n```\n$ fidovault.py -i -v \u003cvaultname\u003e\nEnter secret: \nConfirm secret: \nPlease connect the device you wish to enroll (and disconnect any others).\nPress \u003center\u003e when ready ... \nChecking device at /dev/hidraw2 ...\nDevice supports the hmac-secret extension.\nCreating FIDO2 credential ... \nEnter PIN: \nTouch your authenticator now ...\nFIDO2 credential created.\nEnter name for this key section: Blue Key\nPerform user verification when using this key section? (y/n - default is y) \nCombine password with FIDO2 hmac-secret when using this key section? (y/n - default is y) \nGetting hmac-secret ...\nTouch your authenticator now ...\nEnter password: \nConfirm password: \nKey section 'Blue Key' successfully added.\nFidoVault '\u003cvaultname\u003e' updated.\n\n```\n\nAdd an additional authenticator to an existing FidoVault (connect an already added authenticator before proceeding):\n\n```\n$ fidovault.py -a -v \u003cvaultname\u003e\nChecking device at /dev/hidraw2 ...\nCredential found on device.\nTrying to decode token using 'Blue Key' key section ...\nGetting hmac-secret ...\nEnter PIN: \nTouch your authenticator now ...\nEnter password: \nToken decryption succeeded.\nPlease connect the device you wish to enroll (and disconnect any others).\nPress \u003center\u003e when ready ... \nChecking device at /dev/hidraw2 ...\nDevice supports the hmac-secret extension.\nCreating FIDO2 credential ... \nEnter PIN: \nTouch your authenticator now ...\nFIDO2 credential created.\nEnter name for this key section: Red Key\nPerform user verification when using this key section? (y/n - default is y) \nCombine password with FIDO2 hmac-secret when using this key section? (y/n - default is y) \nGetting hmac-secret ...\nTouch your authenticator now ...\nEnter password: \nConfirm password: \nKey section 'Red Key' successfully added.\nFidoVault '\u003cvaultname\u003e' updated.\n\n```\n\nOutput a FidoVault secret:\n\n```\n$ fidovault.py -v \u003cvaultname\u003e\nChecking device at /dev/hidraw2 ...\nCredential found on device.\nTrying to decode token using 'Blue Key' key section ...\nGetting hmac-secret ...\nEnter PIN: \nTouch your authenticator now ...\nEnter password: \nToken decryption succeeded.\n\u003csecret\u003e\n```\n\n### Providing a FidoVault secret to another program\n\nFidoVault is designed to be used in conjunction with other programs, by providing a secret to them. For programs that accept a secret on `STDIN`, simply pipe FidoVault's `STDOUT` to them (all FidoVault user interaction output is written to `STDERR` / `/dev/tty`, and so will be printed to the terminal and not redirected to the other program). E.g., to use a FidoVault secret for symmetric encryption [and decryption](https://unix.stackexchange.com/questions/560135/how-to-decrypt-file-that-was-symmetrically-encrypted-using-gpg) of a file with [GnuPG](https://gnupg.org/), run:\n\n```\n$ fidovault.py -v \u003cvaultname\u003e | gpg --passphrase-fd 0 --pinentry-mode loopback -c \u003cfilename\u003e\n```\n\nand:\n\n```\n$ fidovault.py -v \u003cvaultname\u003e | gpg --passphrase-fd 0 --pinentry-mode loopback --output \u003cfilename\u003e -d \u003cfilename.gpg\u003e\n```\n\nTo open a [KeePassXC](https://keepassxc.org/) database with a FidoVault secret as password, run:\n\n```\n$ fidovault.py -v \u003cvaultname\u003e | keepassxc --pw-stdin /path/to/database.kdbx\n```\n\n(Unfortunately, [this only works if KeePassXC is not currently running](https://github.com/keepassxreboot/keepassxc/issues/2089).)\n\nFor programs that expect a secret as an argument, FidoVault can pass a secret to them via [`xargs`](https://en.wikipedia.org/wiki/Xargs). E.g., to open a KeePassXC database with a FidoVault secret as password [via D-Bus](https://github.com/keepassxreboot/keepassxc/wiki/Using-DBus-with-KeePassXC) when KeePassXC is already running, run:\n\n```\n$ fidovault.py -v \u003cvaultname\u003e | xargs qdbus org.keepassxc.KeePassXC.MainWindow /keepassxc org.keepassxc.KeePassXC.MainWindow.openDatabase /path/to/database.kdbx\n```\n\n(On Debian Sid, replace `qdbus` with `qdbus6`.)\n\nTo pass the secret at a position other than the end of the command, use the `-I replace-str` argument of `xargs`. E.g., to open a KeePassXC database with a FidoVault secret as a password plus a keyfile that resides somewhere in the filesystem via D-Bus, run:\n\n```\n$ fidovault.py -v \u003cvaultname\u003e | xargs -I % qdbus org.keepassxc.KeePassXC.MainWindow /keepassxc org.keepassxc.KeePassXC.MainWindow.openDatabase /path/to/database.kdbx % /path/to/keyfile\n```\n\n\u003e [!CAUTION]\n\u003e Including a secret in a command's arguments is generally considered insecure, since the secret will be visible to anyone with access to the system process list. The above `qdbus` command is [additionally insecure since it will place the secret on the D-Bus message bus, which also may be accessible to others](https://github.com/keepassxreboot/keepassxc/issues/8826).\n\n## Memory Security\n\nOn Linux, on startup FidoVault calls [`prctl(PR_SET_DUMPABLE, 0)`](https://man7.org/linux/man-pages/man2/pr_set_dumpable.2const.html) to disable [ptracing](https://lwn.net/Articles/491440/) and core dumping, and [`mlockall(MCL_FUTURE)`](https://www.man7.org/linux/man-pages/man2/mlockall.2.html) to disable paging.\n\n## Background\n\nThe original motivation of FidoVault was the desire to implement a standalone tool to [open KeePassXC databases with FIDO2 authenticators](https://github.com/keepassxreboot/keepassxc/discussions/9506), but the code quickly evolved into a more general purpose tool. FidoVault's basic architecture was inspired by the discussion [here](https://github.com/keepassxreboot/keepassxc/discussions/9506), as well as the design of [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) plus its [systemd-cryptenroll extension](https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html). Indeed, I seriously contemplated using LUKS + systemd-cryptenroll (possibly with loop devices) as a general purpose FIDO2-protected secret store, but since LUKS is designed around block devices and the [device mapper](https://en.wikipedia.org/wiki/Device_mapper), it cannot be easily used by non-root users.\n\n## Alternatives\n\nOther projects similar to FidoVault:\n\n * [tokenring](https://github.com/glyph/tokenring): \"TokenRing is a back-end for the Python keyring module, which uses a hard token to encrypt your collection of passwords as a large Fernet token, composed of individual password entries, each of which is separately encrypted as a smaller Fernet token of its own.\"\n * [age-plugin-fido](https://github.com/riastradh/age-plugin-fido): \"draft fido plugin for age(1)\" (\"early draft, likely buggy, protocol not finalized\", \"usability issues with multiple fido keys\", \"not actually tested with age(1) yet\")\n * [age-plugin-yubikey](https://github.com/olastor/age-plugin-fido2-hmac/): \"Encrypt files with fido2 keys that support the \"hmac-secret\" extension.\"\n * [FileKey](https://filekey.app/): \"Files need protection. FileKey secures them. Works with Yubikeys. Drop files in. They lock. Drop them again. They unlock. Your data stays on your device, and only you hold the key. Open source and powered by AES-256 encryption—the same standard trusted by the US government for top-secret information.\" ([Reddit announcement thread](https://old.reddit.com/r/yubikey/comments/1iiptny/introducing_filekey_encrypt_decrypt_files_using/))\n * [khefin](https://github.com/mjec/khefin): \"A system for using a FIDO2 authenticator with hmac-secret extension support to generate passphrase-protected secrets.\" ([abandoned a couple of years ago](https://github.com/mjec/khefin/issues/42))\n\n## Contributors\n\n * [MartinDerTolle](https://github.com/MartinDerTolle): [Code migration from python-fido2 1.x to 2.0](https://github.com/Yubico/python-fido2/blob/main/doc/Migration_1-2.adoc) ([PR #5](https://github.com/tmo1/fidovault/pull/5))\n \n## Donations\n\nFidoVault is absolutely free software, and there is no expectation of any sort of compensation or support for the project. That being said, if anyone wishes to donate (to Thomas More, the tool's primary author), this can be done via [the Ko-fi platform](https://ko-fi.com/thomasmore).\n\n## License\n\nFidoVault is free / open source software, released under the terms of the [GNU GPLv3](https://www.gnu.org/licenses/gpl-3.0.en.html) or later.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftmo1%2Ffidovault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftmo1%2Ffidovault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftmo1%2Ffidovault/lists"}