2025-11-12 - LUKS
One of the first things I do on a new Linux system is setting up FIDO2 unlocking of encrypted filesystems. On Arch-based systems this process is of course described in the wiki.
First we need to install libfido2. With dcli we can simply put that in our base.yaml
# Base packages installed on all machines
# These packages form the foundation of your system
description: Base packages for all machines
packages:
- base
- libfido2
- linux-firmware
- networkmanager
- git
- tailscale
We then need to figure out which device to set up unlocking for and which device to unlock with. We can do this with the following commands
# List disks that can be set up
> sudo systemd-cryptenroll --list-devices
# List FIDO2 devices
> sudo systemd-cryptenroll --fido2-device list
In my case the disk /dev/nvme1n1p2 will be unlocked with the FIDO2 key at /dev/hidraw4. Since I also want to require the PIN to be entered I add --fido2-with-client-pin=yes. User presence (usually pressing the button on the hardware key) is already the default.
> sudo systemd-cryptenroll /dev/nvme1n1p2 --fido2-device=/dev/hidraw4 --fido2-with-client-pin=yes
🔐 Please enter current passphrase for disk /dev/nvme1n1p2: ••••••••••••••••••••••••
Initializing FIDO2 credential on security token.
👆 (Hint: This might require confirmation of user presence on security token.)
🔐 Please enter security token PIN: ••••••••
Generating secret key on FIDO2 security token.
👆 In order to allow secret key generation, please confirm presence on security token.
New FIDO2 token enrolled as key slot 1.