Debian 12 - fido2luks - enroll 2 key

Nitrokeys FIDO2 / Nitrokey 3
1

Thanks to the forum, I used the following procedure on github :

I enrolled my first nitrokey3 with :

systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=true --fido2-with-user-presence=true /dev/XXX

Now I physically remove my first key, and try to enroll my second key with the same command :

systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=true --fido2-with-user-presence=true /dev/XXX

If I try to test my two fido2 keys, they open one slot each:

cryptsetup --verbose open --test-passphrase --token-only /dev/nvme0n1p5

However, when I boot, only the first key I enrolled works. The second is not recognized.

Any ideas?

1 Like
2

Unfortunately that tool only tries to use the first registered FIDO2 token, it would need to be modified to support more than one.

3

Hi, fido2luks 0.0.2 has just been released with support for multiple fido2 keys.

1 Like
4

Thanks — I just broke my second Nitrokey. I’ll order another one and give it a try. But it’s still super cool!

5

I wanted to thank you — I treated myself and bought a new Nitrokey 3A NFC, so I now have a second key in addition to my Nitrokey 3A Mini.

And your script works great; I was able to enroll both Nitrokeys and everything works perfectly.

I even had fun trying it with a Ledger key — I just disabled the PIN prompt, since the PIN is entered directly on the Ledger itself, and it works as well.

So now, to unlock my laptop, I can choose between:

  • Nitrokey 3A Mini (it’s cool, it always stays plugged into my laptop)

  • Nitrokey 3A NFC (it’s my backup that I keep elsewhere)

  • A Ledger key

So I don’t need any password anymore, and I removed the password from my LUKS volume.

Many thanks for updating your script!