Setting up FIDO2 on Linux (2) - Decrypt LUKS with FIDO2

Setting up FIDO2 on Linux (2) - Decrypt LUKS with FIDO2

ADM-MIDA0UI
  2024-05-25 20:00 2024-05-25 20 Created   2024-05-27 01:30:10 2024-05-27 01:30 Updated    

Prerequisites

Fedora is used as the base system for this guide. The same steps can be followed on other distributions.

Fedora comes with systemd-cryptsetup by default, which is a utility to manage encrypted block devices. We will use this utility to easily add a FIDO2 key as a mean to unlock the LUKS filesystem. You can also rely on your computer’s TPM chip instead of a FIDO2 key, but this guide will focus on the latter. The steps are similar for both methods though.

Note that systemd-cryptsetup only supports LUKS2 and Fedora have been using LUKS2 by default since Fedora 30. If you have an older LUKS1 filesystem, you can upgrade it to LUKS2.

If you did a full disk encryption during installation, you are ready to start with the steps below. If you wish to encrypt an existing Fedora disk, you can follow our previous guide on Encrypt an Existing Fedora Disk with LUKS.

Learn more about LUKS and FIDO2 in the previous post.

Identify the LUKS Partition

You will need the device path of the LUKS partition to add the FIDO2 key. Run the following command to list all block devices:

1
lsblk -f

The LUKS partition will have a crypto_LUKS filesystem type. In this example, the LUKS partition is /dev/nvme0n1p6 since I use dual-boot with Windows on the same drive.

Dracut Configuration

Dracut is the tool used to generate the initramfs image in Fedora. We need to add the FIDO2 module to the initramfs image to be able to unlock the LUKS partition with a FIDO2 key.

1
echo "add_dracutmodules+=\" fido2 \"" | sudo tee /etc/dracut.conf.d/fido2.conf

Now, enroll the FIDO2 key to the LUKS partition as an additional unlock method:

1
sudo systemd-cryptenroll --fido2-device auto /dev/nvmen1p3

By default PIN (if set up) and presence (touch) are the requested means for use.

Next, update crypttab and append fido2-device=auto to the options of the LUKS partition:

1
sudo systemd-cryptenroll --fido2-device auto /dev/nvmen1p3

Finally, regenerate the initramfs image:

1
sudo dracut -f

Know that the prompt for the LUKS password will be the same as before, but you will have to use the FIDO2 key PIN there instead and touch the key.

Preview

This post relies on the Fedora Magazine article here

  • Title: Setting up FIDO2 on Linux (2) - Decrypt LUKS with FIDO2
  • Author: ADM-MIDA0UI
  • Created at: 2024-05-25 20:00:00
  • Updated at: 2024-05-27 01:30:10
  • Link: https://admida0ui.de/2024/05/25/fido-2/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Setting up FIDO2 on Linux (2) - Decrypt LUKS with FIDO2
  1. Prerequisites
  2. Identify the LUKS Partition
  3. Dracut Configuration