Boot without PIN best practice

Hi all,

I bought two Nitrokey 3s and am currently in my try out phase. I like to use them with FIDO2 for nextcloud and other websites - this works great.

What I would also like is to unlock my LUKS devices on boot with it. However my idea is to leave a stick in the computer when I am away being able to reboot it remotely without having to enter a PIN.

Is this somehow possible? I tried to do this with systemd-cryptenroll but it seemed to require a PIN. PGP also seems to always require a PIN.

Or would you suggest me to just buy TPMs and use them instead?

Kind regards

I might misunderstood your use case - but isn’t encrypting disk and then keeping device without PIN attached to the computer making encryption pointless?
In my opinion, encrypting disk using FIDO (or similar device - e.g. GPG key stored on smart card) and requiring PIN provides 2-factor encryption as you need both device with key inside it and PIN to decrypt. But when you disable PIN, and keep device constantly attached to your computer - anyone with physical access to it can decrypt whole disk.
On the other hand, if you want to remotely access FIDO/WebAuthn token, you could check initial work of Matthew Garret: Handling WebAuthn over remote SSH connections; but this works after the boot, when system is already running and can accept SSH connections.


That’s still practical, since you have an automatically encrypted mass storage, which you can safely ditch in case it would get broken or need to be sold.

I believe you need some custom script to run it, with a fixed PIN set there. I do not have anything like that at hand though. Perhaps other users from forum can share such.

1 Like