Nitrokey Support

Debian 12 - fido2luks - enroll 2 key

Nitrokeys FIDO2 / Nitrokey 3

nitrokey3-user June 21, 2024, 1:59pm 1

Thanks to the forum, I used the following procedure on github :

I enrolled my first nitrokey3 with :

systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=true --fido2-with-user-presence=true /dev/XXX

Now I physically remove my first key, and try to enroll my second key with the same command :

systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=true --fido2-with-user-presence=true /dev/XXX

If I try to test my two fido2 keys, they open one slot each:

cryptsetup --verbose open --test-passphrase --token-only /dev/nvme0n1p5

However, when I boot, only the first key I enrolled works. The second is not recognized.

Any ideas?

1 Like

berto September 30, 2024, 11:06am 2

Unfortunately that tool only tries to use the first registered FIDO2 token, it would need to be modified to support more than one.

berto August 5, 2025, 9:28am 3

Hi, fido2luks 0.0.2 has just been released with support for multiple fido2 keys.

1 Like

nitrokey3-user August 9, 2025, 9:47am 4

Thanks — I just broke my second Nitrokey. I’ll order another one and give it a try. But it’s still super cool!