I recently converted my partitions to LUKS2 and keyslots to systemd-cryptenroll.
This post described how to do the NixOS side: Using FIDO2 LUKS with yubikey pin - #3 by ElvishJerricco. To elaborate, these are the relevant options which you should merge into your configuration:
let
luksName = "root"; # name for opened crypt device
in {
boot.initrd = {
systemd.enable = true; # initrd uses systemd
luks.fido2Support = false; # because systemd
luks.devices.${luksName} = {
device = BLKDEV_HERE;
crypttabExtraOpts = ["fido2-device=auto"]; # cryptenroll
};
};
fileSystems."/" = {
device = "/dev/mapper/${luksName}";
fsType = FSTYPE_HERE;
};
}
On the systemd-cryptenroll side, it’s done exactly as per the systemd documentation online. Your commands will obviously be different but I think the main enrollment command which I used was:
systemd-cryptenroll --fido2-device=auto --fido2-with-user-presence=false --fido2-with-user-verification=true BLKDEV_HERE```