Enable usage of multiple fido2 devices by supporting password change …

[uli-heller]

…with explicit master key

I've created this pull request to support a couple of use cases that came into my mind.

Use cases

Use multiple FIDO2 keys

I habe 2 FIDO devices. One is connected to my desktop, the other one is typically in my pocket so I can use it
when I'm out. Typically in combination with my laptop. I'd like to be able to access my gocryptfs filesystem using
either of the keys

"Add" a FIDO2 key to an existing filesystem

You have an ordinary gocryptfs filesystem using passwords. Now you buy a FIDO2 device and would like
to use it on the existing filesystem

Howto

• You have an existing encrypted filesystem: "encrypted"
• You know the master key: "3eca91ba-52c4391d-5d7ce783-b07e40f2-a3808dfd-a08c7ee5-a9577f97-cc6085d3"
• Create a dummy config for your additional/new FIDO2 device:

  mkdir encrypted2
  gocryptfs --init --fido2 /dev/hidraw2 --config encrypted/gocryptfs-fido2.conf encrypted2
    # enter pin and/or press device
  rm -rf encrypted2
  

• "Connect" the FIDO2 device with the master key: (this fails with the original gocryptfs)

  gocryptfs --passwd --masterkey 3eca91ba-52c4391d-5d7ce783-b07e40f2-a3808dfd-a08c7ee5-a9577f97-cc6085d3 \
    --fido2 /dev/hidraw2 \
    --config encrypted/gocryptfs-fido2.conf \
    encrypted
    # enter pin and/or press device
  

• Use the FIDO2 device:

  mkdir decrypted
  gocryptfs --fido2 /dev/hidraw2 --config encrypted/gocryptfs-fido2.conf encrypted decrypted
  

Closing Notes

I'm not a go developer. I'm more a typing monkey when it comes to this language.
Feel free to improve!

For those speaking German, there is an article with more details here

[Arbel-arad]

can you add the 2nd (and more) FIDO2 devices to the config, or does it require another config for each?

[uli-heller]

@Arbel-arad : Each FIDO2 device needs a separate config file