How to setup LUKS with FIDO2?

[khionu]

Looking here, I'm not sure if it's even possible to have disko do the setup without a patch? If a patch is required, I'd be happy to make the patch, but I'm afraid I'm not sure how to do so without systemd-cryptenroll, which I don't think is a viable option from an installation context?

[khionu]

I did some digging, and it looks like the best way to do this would be with fido2luks, which is what boot.initrd.luks.fido2Support uses (source).

How it could be implemented would be disko calls fido2luks token add, using the known device, given slot, and assumed-valid credential-id. Alternatively, if disko is fine with the assumption that the FIDO2 device is present, fido2 add-key would be viable, though it's my assumption that that is less desired.

[khionu]

I've added it to my fork, and if a PR would be welcome, I'll happily open one. https://github.com/khionu/disko/commit/77a17a1328f0ee82543bbaa1ab0474ccdf794e5a

[khionu]

I've updated the commit. Turns out that this is a far more complicated topic than I realized and it will take more time to figure out how to pregenerate keys. That said, I think it's better to have a solution that assumes the FIDO2 device is present (which my fork now does) than to not have a solution for this in disko at all, so my offer to make a PR still stands.

[jpds]

I'm also interested in seeing systemd-cryptenroll integration, but with TPM2 options instead of FIDO2.

[nialov]

Interested 🕵️

[iFreilicht]

Hey, thank you for the work on the patch! We're definitely interested in a PR, but it would be good if you add a test as well, so we can be sure we don't accidentally break this behavior in the future.

I just added documentation for running tests (not yet merged), so this should help you get started.