khefin will be deprecated at the end of 2022

[mjec]

As the primary author of khefin, I'm announcing my intention to deprecate this tool at the end of 2022.

Why?

Khefin was originally created to enable use of a FIDO2 security key for a LUKS encrypted disk. Support for FIDO2 keys in LUKS now exists in systemd, and has since version 248. This obviates my primary use case for khefin (and seemingly the primary use case of others). The only other use to which I put khefin has been as an ssh-askpass implementation, and I also no longer use that regularly (instead using an ssh-agent implementation built into my password manager).

What should I use instead?

The systemd implementation of disk encryption keys is likely better than mine, and certainly has more eyes on it. I strongly recommend using that instead. Migration should be a matter of adding a new decryption key to a new keyslot using systemd-cryptenroll and then killing your khefin keyslot (plus requisite backups and testing; I would never kill an existing key without proving I am able to unlock the drive with the new key).

I do not have specific suggested replacements for other use cases, but if you're stuck feel free to open an issue and I'll try to help.

What do you mean by deprecation?

• I will not do any further development on khefin
• I will archive this repository in GitHub, making it read-only
• I will remove the AUR package for khefin

I have made a similar advance deprecation announcement through the AUR post-upgrade hook and in the PKGBUILD file for version 0.6.1-3. I've also updated the README file in this repository.

If you are interested in taking over this project, please reach out, either by commenting on this issue or emailing me at [email protected]. I am open to passing on ownership.

If there is a good reason not to deprecate the project, please leave a comment on this issue.