7

I have encrypted an external hard drive using LUKS2 on my machine running Fedora 34 using the cryptsetup command.

When I now plug in the hard drive and enter the passphrase, the drive is unlocked successfully, and I can access my files. Additionally, I'd like to be able to unlock the drive using my FIDO2 security key. I have added the key as an unlock option using this command:

sudo systemd-cryptenroll --fido2-device=auto /dev/sdc1

In the documentation for the /etc/crypttab file, I found out how to automatically unlock such a drive during boot.

Unfortunately, I did not find any documentation how to unlock such a drive manually using the FIDO2 key. When I try to unlock it using cryptsetup open /dev/sdc1 myLuks, I have to enter the passphrase. In the manual for cryptsetup I could not find a parameter similar to --fido2-device either.

Can someone explain how to unlock a LUKS2 encrypted drive manually using a FIDO2 key?

Thanks in advance

Improve this question

2 Answers 2

Reset to default
3

You should be able to manually unlock the device with systemd-cryptsetup

sudo /usr/lib/systemd/systemd-cryptsetup attach myLuks /dev/sdc1 - fido2-device=auto

You can't use cryptsetup to unlock LUKS devices using FIDO (or TPM2) right now, support for these is in systemd only (it uses LUKS2 feature which allows adding "foreign" metadata to the LUKS header, but the code to work with FIDO/TPM2 is only in systemd so cryptsetup doesn't know how to get the key from FIDO/TPM2). This will change, cryptsetup 2.4.0 (not released yet, RC0 is currently available in Fedora Rawhide and Debian Experimental) adds a new plugin interface and it will be possible to use cryptsetup open to automatically open the device using FIDO/TMP2 (and other "tokens" supported by systemd) in the future.

Improve this answer
6
  • Thanks for your answer, this does seem to be the correct command, but unfortunately, it fails due to an error. I performed the command you suggested and got the following output (and was asked for the passphrase again): Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/sdc1. Automatically discovered security FIDO2 token unlocks volume. Asking FIDO2 token for authentication. Failed to activate with FIDO2 decrypted key. (Key incorrect?) 🔐 Please enter passphrase for disk <my disk model> (myLuks): (press TAB for no echo) Commented Jul 20, 2021 at 19:38
  • While setting up the key, I had to enter the pin and press the physical button. Now to unlock it, it did not ask for the pin at all. I'm using systemd 248 (v248.4-1.fc34) if that is relevant. Commented Jul 20, 2021 at 19:40
  • I think you are hitting the same issue that's described here, but I'm not 100 % sure (at least the result and error message is the same). The fix linked to the issue is available only in systemd 249 (which is not available in F34). Commented Jul 20, 2021 at 19:55
  • 1
    I have compiled and installed systemd 249 on a Fedora 34 machine and can confirm that it worked flawlessly. I hope the new systemd will be available in Fedora 34 in the future. Thanks again for your help! Commented Aug 14, 2021 at 11:46
  • 1
    Since cryptsetup >= 2.4 is now available (e.g. on Fedora 35), are there any options one should specify to use it with the plugin interface (i.e. to unlock Fido2 slots) - or should that work automagically? Commented Nov 16, 2021 at 9:45
2

In fedora 37 cryptsetup 2.5.0 the following works:

sudo cryptsetup open --token-only /dev/sdb1 myLuks
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.