Using FIDO2 LUKS with yubikey pin


I am trying to configure my system so that I can access LUKS-Encrypted root partition via a FIDO2 token as outlined in the NixOS manual. The problem is, the device I am currently using to store the private key (yubikey 5) requires a pin, and the nix module provides no way to request for one. Previously, when creating the FIDO2 credential, I was able to mitigate this by providing the -P flag to the fido2luks cli (it makes fido2luks request the pin). My question is, what would be the best way to get this to work (FIDO2 + LUKS + yubikey 5)? Should I fork the module to make this small change, or is there an easier way?



Hi! Forking and sending in a PR is the way to do it :smiley:

I am trying to get mine working currently, I haven’t gotten as far as you it seems. I get:

CryptsetupError { cause: IOError(Os { code: 22, kind: InvalidInput, message: "Invalid argument" }) }

when trying to add-key.

Do you by chance remember the steps you took to get the key added in the first place?

1 Like

Btw, systemd-cryptenroll can add a fido2 derived key to a LUKS drive, and the new (experimental) systemd-based initrd will support it almost out of the box. You just need boot.initrd.systemd.enable = true;, a (very) recent nixos-unstable, and I think boot.initrd.luks.devices.FOO.crypttabExtraOpts = ["fido2-device=auto"];


Turns out my issue was not having luks version 2!

Swoot - thanks @ElvishJerricco! That’s working for me now that I have a supported luks version :smiley:

do you care to share how you updated from luks 1 to luks 2 ?