Debian 12 with LUKS and Fido2

2023-09-03 . category: Tech . Comments
#linux #debian #security #luks #fido2 #tutorial

LUKS is a great way to keep your data safe when it is at rest. I was seeking a way to keep my data safe and make it convienent to do so. If you have a yubikey 5 series or later this can be done with fido2. This tutorial will show the process I used to set this up. In my case the drive I am useing for this is nvme0n1p. You will need to substitue that as needed.


I recommend doing some backups. Before you get started. You will need these if you need to recover.

LUKS Header

Save your existing LUKS header to external media incase you need to go back and restore it.

cryptsetup luksHeaderBackup /dev/nvme0n1p3 --header-backup-file <external_media_path>/luks_backup.bin

Initrd backups

We will be updating some of your intramfs. This could make your system unbootable. If you make copy of the files in the same directory, you can easily boot back in from grub. Inside /boot there will be one or more files that start with initrd. In my case the files look like initrd.img-6.4.0-3-amd64. Copy each of your initrd files and append with .bak.

cd /boot
cp initrd.img-6.4.0-3-amd64 initrd.img-6.4.0-3-amd64.bak

Ensure pin is setup on your yubikey

If you wish for pin entry to unlock your yubikey, make sure your pin is setup. If you have already setup pin, you can skip this.

ykman fido access change-pin

Enroll the Yubikey to the LUKS drive

The next step is to add your yubikey to the luks encrypted partition.

systemd-cryptenroll /dev/nvmeon1p3 --fido2-device=auto --fido2-with-client-pin=yes

This will prompt for the current password for the partition. Enter that. Once that is complete make sure your yubikey is plugged in if it isn’t already. It will then ask for your PIN. Enter that. It will requests you to touch the yubikwy with the blinking light.

Modify Crypttab

Your crypttab file will need to be modified to allow the use of the yubikey. The orignal file looks like

nvme0n1p3_crypt UUID=6dd1a575-8ae3-4fd3-89fe-46b5dd274541 none luks,discard

The modified file looks like.

nvme0n1p3_crypt UUID=6dd1a575-8ae3-4fd3-89fe-46b5dd274541 none luks,discard,fido2-device=auto

Setup dracut

By default Debian uses initramfs-tools. These tools use the old cryptsetup and will now allow fido2. Because of this we will need to setup dracut. This is not quite as simple as just installing dracut some configuration will need to be done to get everything working.

Install dracut fido2-tools

This part is simple we use apt to install dracut this will update your initrd files but yoursystem will not boot correctly yet. Follow the next section.

apt install dracut fido2-tools

Configure dracut

Create a file called 11-fido.conf in /etc/dracut.conf.d . Make sure this file user and group are root. Contents of the file are below

## Spaces in the quotes are critical.
install_optional_items+=” /usr/lib/x86_64-linux-gnu/* “

## Ugly workround because the line above doesn't fetch
## dependencies of
install_items+=" /usr/bin/fido2-token /etc/crypttab "

# Required detecting the fido2 key
install_items+=" /usr/lib/udev/rules.d/60-fido-id.rules /usr/lib/udev/fido_id "
add_dracutmodules+=" fido2 "

Regenerate dracut

After everything is installed and configured the initrd files have to be regenerated. This is easy its a single command

dracut -f

Update Grub

System will still have trouble booting, because it needs help finding the encrypted drive. Grub will need to be updated.

Reconfigure Grub

In your /etc/default/grub the GRUB_CMDLINE_LINUX. We need to add an entry for An excert from my file is below

# If your computer has multiple operating systems installed, then you

Apply the reconfigure

This is a simple oneline command.


Test Everything out

From here everything should work. Reboot your system. You will be prompted for your yubikey pin. Enter your pin and hit enter. Make sure your yubikey is plugged in. It should start blinking. Touch your yubikey, and it should continue the boot.

Emergency roll back

If you are not prompted for the pin or it doesnt unlock, reboot your machine again. At the grub prompt hit e. On the initrd line add .bak to the initrd image created.


Mitch Tuck is a technologist. He has worked in various areas around technology. He has worked as both a developer and infrastructure on networks and servers. He enjoys technology in almost all forms.