Debian 12 - fido2luks - enroll 2 key

Thanks to the forum, I used the following procedure on github :

I enrolled my first nitrokey3 with :

systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=true --fido2-with-user-presence=true /dev/XXX

Now I physically remove my first key, and try to enroll my second key with the same command :

systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=true --fido2-with-user-presence=true /dev/XXX

If I try to test my two fido2 keys, they open one slot each:

cryptsetup --verbose open --test-passphrase --token-only /dev/nvme0n1p5

However, when I boot, only the first key I enrolled works. The second is not recognized.

Any ideas?

1 Like

Unfortunately that tool only tries to use the first registered FIDO2 token, it would need to be modified to support more than one.

Hi, fido2luks 0.0.2 has just been released with support for multiple fido2 keys.

1 Like

Thanks — I just broke my second Nitrokey. I’ll order another one and give it a try. But it’s still super cool!