Table of Contents
FIDO2 setup
Notes how FIDO2 key can be setup with Fedora linux workstation
Install fido2-tools package:
sudo dnf install -y fido2-tools
Set pin for FIDO2 token (optional) 1):
fido2-token -S /dev/hidraw1
To change pin:
fido2-token -C /dev/hidraw1
It seems that you need to reset Feitian key always before enrolling it to LUKS.
# fido2-token -L /dev/hidraw1: vendor=0x096e, product=0x0854 (FT FIDO KB) # Plug FIDO2 token and within five second run: fido2-token -R /dev/hidraw1
LUKS disk encryption
Fedora
Setting up FIDO2 for luks encryption. 2) Here /dev/sda3 is LUKS partition of freshly installed Fedora 37 workstation. Use lsblk to check yours. In this example user PIN and presence touch is disabled, so computer boots and opens LUKS partition as long as key is inserted.
First enroll recovery-key (and note it down):
sudo systemd-cryptenroll --recovery-key /dev/sda3
Plug in your FIDO2 token and enroll it to LUKS:
sudo -i cryptsetup luksDump /dev/sda3 systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=false --fido2-with-user-presence=false /dev/sda3 ๐ Please enter current passphrase for disk /dev/sda3: ************ Initializing FIDO2 credential on security token. ๐ (Hint: This might require confirmation of user presence on security token.) ๐ Please enter security token PIN: **** Generating secret key on FIDO2 security token. ๐ In order to allow secret key generation, please confirm presence on security token. New FIDO2 token enrolled as key slot 1.
You can check result with:
cryptsetup luksDump /dev/sda3
Modify /etc/cryptab (as root):
# nano /etc/crypttab luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx UUID=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx - fido2-device=auto
Regenerate initramfs:
dracut --regenerate-all --force
Optionally you can delete LUKS password:
cryptsetup -v luksRemoveKey /dev/sda3
Debian 12
Be careful, this might lead to non bootable system. You've been warned!
First reset FIDO2 token and enable pin code for it.
# Install dracut apt install dracut apt purge cryptsetup-initramfs && apt autoremove --purge echo "hostonly=yes" > /etc/dracut.conf.d/10-hostonly.conf dracut -f # Reboot to test reboot # Enroll your FIDO2 device to unlock Luks volume apt install fido2-tools nano /etc/crypttab # Change the line: # vda5_crypt UUID=165e9c6c-6277-49b1-ac51-94158b504964 none luks,discard # to: # vda5_crypt UUID=165e9c6c-6277-49b1-ac51-94158b504964 none luks,discard,fido2-device=auto # Update initrd to include FIDO2 tools and updated /etc/crypttab dracut -f # Plug your FIDO2 device systemd-cryptenroll --fido2-device=list # Check your FIDO2 device is listed systemd-cryptenroll --fido2-device=auto /dev/vda5 # Test if everything works reboot
- This is based on this forum post.
gdm login
Note that this requires U2F capable FIDO2 key. This page is based Nitrokey documentation 3).
If you use Nitro key, you might install udev-rules. This step is not required for gdm login and sudo to work.
cd /etc/udev/rules.d/ sudo wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules sudo udevadm control --reload-rules && sudo udevadm trigger
Install packages
sudo dnf install pam-u2f pamu2fcfg
Insert Nitrokey
mkdir ~/.config/Nitrokey sudo pamu2fcfg > ~/.config/Nitrokey/u2f_keys # Touch nitrokey sudo mv ~/.config/Nitrokey /etc
Check content of u2f_keys, it need to have your username at the beginning of line, pamu2fcfg with sudo above leaves with root.
sudo nano /etc/Nitrokey/u2f_keys
gdm login and sudo authentication with fido2 key
Edit /etc/pam.d/gdm-password and add second line:
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth sufficient pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok
Edit file /etc/pam.d/sudo and add:
#%PAM-1.0 auth sufficient pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok