Btw, systemd-cryptenroll can add a fido2 derived key to a LUKS drive, and the new (experimental) systemd-based initrd will support it almost out of the box. You just need boot.initrd.systemd.enable = true;, a (very) recent nixos-unstable, and I think boot.initrd.luks.devices.FOO.crypttabExtraOpts = ["fido2-device=auto"];
5 Likes