Yubikey to unlock LUKS volume

Dear Community,

in regards to this topic:


I would like to use my yubikey to unlock the root partition on boot.
I have a couple of questions though. I couldn’t gather any info from the topic above how to use a second fido key (in my case yubikey) to use as a backup and not render the system unbootable if I loose my key.

And the second idea would be how could I disable the luks password so unlocking is only possible using the inserted yubikey?

Thanks for any tips!

Do you mean you have two Yubikeys?

A suggestion from the ArchWiki is to install yubikey-full-disk-encryption. It is a bit different than the topic you linked, but appears fairly straightforward. Just be sure to use dracut instead of mkinitcpio (for example, regenerate the initramfs with sudo dracut-rebuild).

If you want to use two Yubikeys, you can either set them up with two slots according to the documentation on the yubikey-full-disk-encryption page, or follow the advice a little further down to get the same secret key onto both Yubikeys:

You may instead enable HMAC-SHA1 Challenge-Response mode using graphical interface through yubikey-personalization-gui package. It allows for customization of the secret key, creation of secret key backup and writing the same secret key to multiple YubiKeys which allows for using them interchangeably for creating same ykfde passphrases.

You can list the keyslots in use with sudo cryptsetup luksDump /dev/[device]. When you are ready, delete the one you no longer wish to use according to one of these methods: https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Removing_LUKS_keys


Great thanks a lot for your help! Exactly what I was looking for :slight_smile:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.