This is my first post here and I am relatively new to Nixos and not too experienced with linux either so please excuse my newbishness. I’ve been reading up on and playing around with FDE using a hardware security key like Yubikey on Nixos ( Yubikey based Full Disk Encryption (FDE) on NixOS - NixOS Wiki ). However, I feel like this process could be much more streamlined if one could use something like systemd-cryptenrolls fido2 support instead of what’s described in the guide. Or even better if it could be done declaratively through Disko or something (from reading the source of Disko, my understanding is that the luks-support is limited to passphrases for now).
Anyhow, I figure that it should be possible to at least do the enrollment step using systemd-cryptenroll. However, I am not sure how I get nixos to use that header entry during Stage 1 boot after enrollment. Has anyone else been down this rabbit hole and would care to shed some light on the matter?
let
luksName = "root"; # name for opened crypt device
in {
boot.initrd = {
systemd.enable = true; # initrd uses systemd
luks.fido2Support = false; # because systemd
luks.devices.${luksName} = {
device = BLKDEV_HERE;
crypttabExtraOpts = ["fido2-device=auto"]; # cryptenroll
};
};
fileSystems."/" = {
device = "/dev/mapper/${luksName}";
fsType = FSTYPE_HERE;
};
}
On the systemd-cryptenroll side, it’s done exactly as per the systemd documentation online. Your commands will obviously be different but I think the main enrollment command which I used was:
Yea, the method described in the guide that @modular6338 linked is not long for this world. The yubikey stuff we have in the scripted stage 1 is going to go away when we get rid of scripted stage 1 altogether in favor of systemd stage 1 hopefully within the next year, precisely because it’s strange, arcane, and less reliable compared to systemd-cryptenroll.
@rvl your suggestion worked like a charm; although i believe the filesystem-part is added automatically by the hardware-scanner when generating hardware-configuration.nix using nixos-generate-config during manual install.
@ElvishJerricco yeah thank you for confirming my suspicion. Feels like there’s room for a more up to date guide on the wiki in the future, at least for us rookies hehe. Let me know if it is possible and desirable for me to contribute with an edited version of the guide I linked to. Although, the manual section about nixos and fido2 referenced in your post was quite good at explaining it so I guess that should suffice for most users. I ofc missed that section when reading up on the subject…