Hi all,
I bought two Nitrokey 3s and am currently in my try out phase. I like to use them with FIDO2 for nextcloud and other websites - this works great.
What I would also like is to unlock my LUKS devices on boot with it. However my idea is to leave a stick in the computer when I am away being able to reboot it remotely without having to enter a PIN.
Is this somehow possible? I tried to do this with systemd-cryptenroll but it seemed to require a PIN. PGP also seems to always require a PIN.
Or would you suggest me to just buy TPMs and use them instead?
Kind regards
I might misunderstood your use case - but isn’t encrypting disk and then keeping device without PIN attached to the computer making encryption pointless?
In my opinion, encrypting disk using FIDO (or similar device - e.g. GPG key stored on smart card) and requiring PIN provides 2-factor encryption as you need both device with key inside it and PIN to decrypt. But when you disable PIN, and keep device constantly attached to your computer - anyone with physical access to it can decrypt whole disk.
On the other hand, if you want to remotely access FIDO/WebAuthn token, you could check initial work of Matthew Garret: Handling WebAuthn over remote SSH connections; but this works after the boot, when system is already running and can accept SSH connections.
Hi!
@serpent
That’s still practical, since you have an automatically encrypted mass storage, which you can safely ditch in case it would get broken or need to be sold.
@nitromax
I believe you need some custom script to run it, with a fixed PIN set there. I do not have anything like that at hand though. Perhaps other users from forum can share such.
1 Like
