Cannot have multiple credentials per YubiKey

[syphoxy]

I'm not sure if I'm merely misunderstanding something or if this is a bug. If it is a bug, I'm not even sure if it's in fido2luks.

As illustrated below, it appears that no matter what you name the credential, it seems to always clobber the previous credential.

I did some research on whether this is actually expected behavior but as far as I can tell test1 and test2 (being a "username") should be unique credentials even if they're both sharing the Relying Party ID of fido2luks.

I tried digging through the code, both fido2luks at tag 0.2.20 and ctap_hmac, and I couldn't identify a reason for the fact that these credentials are getting clobbered.

Is this intentional? Is there a reason we can't have multiple fido2luks credentials per YubiKey (per FIDO2 device)?

$ fido2luks credential -P 'test1'                                                                                         
Authenticator PIN: 
REDACTED

$ ykman fido credentials list    
Enter your PIN: 
fido2luks 00 test1

$ fido2luks credential -P 'test2'
Authenticator PIN: 
REDACTED

$ ykman fido credentials list    
Enter your PIN: 
fido2luks 00 test2

Versions

$ fido2luks --version            
fido2luks 0.2.20

$ ykman info
Device type: YubiKey 5 NFC
Serial number: REDACTED
Firmware version: 5.2.7

[shimunn]

You absolutely can, I don't why know you're even seeing any credential at all since the credential shouldn't be discoverable. You can simply generate multiple credentials and provide them separated by comma cred1,cred2.

[syphoxy]

I see. I just tried that but it created one credential with a name of 'cred1,cred2'. do I need fido2luks 0.3.0-alpha for that?

[syphoxy]

ok, I think there's been a misunderstanding.

Let's assume there are two LUKS devices:

• /dev/sda1
• /dev/sdb1

Let's run this once for now to create the credential for /dev/sda1:

$ fido2luks credential sda1
SDA1_CREDENTIAL_RESULT_HERE

now we add these credentials to the respective LUKS devices:

$ sudo fido2luks add-key /dev/sda1 SDA1_CREDENTIAL_RESULT_HERE
OK

If one were to attempt to immediately unlock /dev/sda1 using the newly minted credential, everything work as expected:

$ sudo fido2luks open /dev/sda1 root SDA1_CREDENTIAL_RESULT_HERE
OK

Everything works. /dev/sda1 is successfully unlocked.

Let's now proceed to create our second credential for use on /dev/sdb1:

$ fido2luks credential sdb1
SDB1_CREDENTIAL_RESULT_HERE

Add it to /dev/sdb1:

$ sudo fido2luks add-key /dev/sdb1 SDB1_CREDENTIAL_RESULT_HERE
OK

Let's try to open /dev/sdb2 with our newly, second minted credential:

$ sudo fido2luks open /dev/sdb1 data SDB1_CREDENTIAL_RESULT_HERE
OK

Everything still works. /dev/sdb1 is unlocked.

Let's close our LUKS devices:

$ sudo cryptsetup close root
$ sudo cryptsetup close data

If we try to unlock both of these devices again:

$ sudo fido2luks open /dev/sda1 root SDA1_CREDENTIAL_RESULT_HERE
FAIL

/dev/sda1 will fail to unlock.

$ sudo fido2luks open /dev/sdb1 data SDB1_CREDENTIAL_RESULT_HERE
OK

/dev/sdb1 will unlock successfully.

---

that being said, if I run fido2luks credential only once and use the same credential for both /dev/sda1 and /dev/sdb1, both devices can be unlocked and used normally.

did I fundamentally misunderstand how I'm supposed to use this?

is the idea here to use a separate salt between separate uses and the credential stays (from fido2luks credential) the same everywhere?

[solomon-b]

I'm running into this same issue.