fido2luks hook for mkinitcpio (ArchLinux and derivatives)
⚠️ Before proceeding, it is very advised to backup your existing LUKS2 header to external storage
Setup
- Connect your FIDO2 authenticator
- Generate credential id
fido2luks credential
- Generate salt (random string)
pwgen 48 1
- Add key to your LUKS2 device
fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
-P - request PIN to unlock the authenticator
-t - add token (including credential id) to the LUKS2 header
-e - wipe all other keys
For the full list of options see fido2luks add-key --help
- Edit /etc/fido2luks.conf
Keyslot (FIDO2LUKS_DEVICE_SLOT) can be obtained from the output of
cryptsetup luksDump <block_device>
- Add fido2luks hook to /etc/mkinitcpio.conf
Before or instead of encrypt hook, for example:
HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
- Recreate initial ramdisk
mkinitcpio -p <preset>