Using FIDO2 LUKS with yubikey pin

Howdy,

I am trying to configure my system so that I can access LUKS-Encrypted root partition via a FIDO2 token as outlined in the NixOS manual. The problem is, the device I am currently using to store the private key (yubikey 5) requires a pin, and the nix module provides no way to request for one. Previously, when creating the FIDO2 credential, I was able to mitigate this by providing the -P flag to the fido2luks cli (it makes fido2luks request the pin). My question is, what would be the best way to get this to work (FIDO2 + LUKS + yubikey 5)? Should I fork the module to make this small change, or is there an easier way?

Thanks,
smkuehnhold

2 Likes