diff options
author | Luca Boccassi <luca.boccassi@microsoft.com> | 2021-04-12 21:06:59 +0100 |
---|---|---|
committer | Luca Boccassi <bluca@debian.org> | 2021-05-07 21:36:27 +0100 |
commit | cde2f8605e0c3842f9a87785dd758f955f2d04ba (patch) | |
tree | 26d259cdb23f9ace361340a87d584ab379259fde /man/systemd-cryptenroll.xml | |
parent | cd5f57bda71dc9485d7eddf6cfcbfba843f5126c (diff) | |
download | systemd-cde2f8605e0c3842f9a87785dd758f955f2d04ba.tar.gz |
FIDO2: support pin-less LUKS enroll/unlock
Closes: https://github.com/systemd/systemd/issues/19246
Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.
Diffstat (limited to 'man/systemd-cryptenroll.xml')
-rw-r--r-- | man/systemd-cryptenroll.xml | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index 9751444e50..e1c5a41aac 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -126,6 +126,13 @@ </varlistentry> <varlistentry> + <term><option>--fido2-with-client-pin=</option><replaceable>BOOL</replaceable></term> + + <listitem><para>When enrolling a FIDO2 security token, controls whether to require the user to + enter a PIN when unlocking the volume. Defaults to <literal>yes</literal>.</para></listitem> + </varlistentry> + + <varlistentry> <term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term> <listitem><para>Enroll a TPM2 security chip. Expects a device node path referring to the TPM2 chip |