Hello,
I’ve been playing around with setting up a LUKS partition and I’ve succeeded in having a working setup.
But now, I would like to add an additional FIDO2 device for in case I lose my primary device.
I’ve tried searching and reading online, but haven’t found anything in relation to this.
Here is my current setup:
I used Disko to do the initial partitioning
luks = {
size = "100%";
content = {
type = "luks";
name = "nvme0n1p3_encrypted";
settings = {
allowDiscards = true;
};
passwordFile = "/tmp/secret.key";
content = {
type = "zfs";
pool = "gnix";
};
};
};
You can see the full config here: nixos-config/hosts/gnix/disk-configuration.nix at 7b447c707cc793cb2acc276b2f4de622aac979a5 · moleculezz/nixos-config · GitHub
And my NixOS configuration is as follows:
boot.initrd = {
systemd.enable = true; # initrd uses systemd
luks.fido2Support = false; # because systemd
luks.devices.nvme0n1p3_encrypted = {
device = "/dev/disk/by-partlabel/disk-nvme-luks";
crypttabExtraOpts = ["fido2-device=auto"]; # cryptenroll
};
};
Then after first boot I ran:
sudo systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p3
I tried connecting my other FIDO2 device and running the same command as I did with the other one, and I fill in the initial passwordFile I used when I created the first one, but I get an error that the password is incorrect. I would assume that the new credentials is the primary FIDO2 key, but how do I use the primary device to add another device?