Is token-based (passwordless) desktop launch with full-disk encryption possible?

I’m running a my GNU/Linux laptop with full disk encryption. What I’d like to do is:

A. Startup without Nitrokey

  1. Start laptop
  2. Enter FDE password
  3. Desktop shell autologin (GNOME setting)
  4. Plug in Nitrokey
  5. Nitrokey functionality is available (for email etc)

B. Startup with Nitrokey

  1. Plug in Nitrokey
  2. Start laptop
  3. No need to enter FDE password
  4. Desktop shell autologin (GNOME setting)
  5. Nitrokey functionality is available (for email etc)

From what I’ve read, scenario A is supported by Nitrokey, since it amounts to “plug in Nitrokey once you have logged into your desktop shell”. But what about scenario B? Can a Nitrokey be used to launch a full-disk encryption desktop from power up, without having to enter a password?


it depends on quite some things. But I will mainly talk about a solution which should work.

What is full disk encryption for you? If you mean what Ubuntu is doing (leaving the boot-partition unencrypted, using dm-crypt) then you can do what is described here. This instructions are old old old, but the main idea is valid.

Please note, that I did not test the instructions yet. The main point is to encrypt a keyfile with GnuPG and this keyfile is used to decrypt the disk. The procedure needs to start at least the kernel. Therefore the boot partition have to be unencrypted. As soon grub can support USB tokens like Nitrokey it will be possible to use the keys to decrypt a “full-full” disk encryption. I do not see that coming soon though.

Does this help to answer your question?

Kind regards

1 Like

I’ll need to check the implementation details on my machine.

In the instructions you linked to they state:

At boot time, your system will ask for your OpenPGP card PIN code. Of course you’ll need your OpenPGP card as well. Real two-factor security!

Does this mean it isn’t possible to set up a token-only (passwordless) boot?

correct. You must type in at least your PIN. Wouldn’t this be necessary, any person who owns the Stick could boot/decrypt. Not the best idea, imho.

Fair enough. On reflection my original goal was “support an additional one-factor authentication method”, specifically “that allows me to switch on my machine and go make some coffee”, rather than “switch to two-factor authentication”. Probably not part of the Nitrokey security story. :smirk:

So in summary, Nitrokey could support two-factor authentication (token + pin) for:

  • unencrypted boot, encrypted data - but this requires some configuration
  • encrypted boot, encrypted data - but this requires new features in GRUB

This is good to know, thanks!

Hi, just jumping on this here from a different side: I would see it as a big benefit to use Nitrokey as a KEY. Means to plug it into my computer and do not need to enter any other security. Like a classical lock and key. Of course, if somebody steel my NK, he/she has stolen the keys.

So do you not see a way to configure NK to use a Pin or not ?



every key operation is released if and only if a PIN was given. This is a basic principle of OpenPGP Card and can not be circumvented (which is good! :blush:).

It is may possible for example to detect the insertion of a key, but this would be a function of the system and wouldn’t have to do anything with Nitrokey specific hardware (as far as I can see). You could do such thing with a simple pendrive as well (based on the unique identifiers such devices have, but which will turn out to be not so unique in the end :wink:). I do not know such program yet, but I am quite sure that such things are implemented somewhere. I am thinking on USBGuard as an example with a different goal. It is doing such detection for black-/whitelisting USB devices, but not for login purposes…

I do not think that Nitrokey would try to implement such thing. It is difficult to handle and maintain and it does not seem like a very good idea on a security perspective if you are asking me.

A computer login with Nitrokey + PIN on the other hand is a very fine thing I am doing with my private Linux machine. You do not need to expose your (system) password in public and have a security gain. :+1:

Kind regards

Hi, thanks for the answer and explanation. I was busy with other tasks. To be honest: I think Apple will continue a development with either their Fingerprint or FaceID that will provide this "easy login"
And who is using a different computer brand nowadays :smiley:

( And mine is just broken - so I try to survive the rest of the year with an iPad, that anyhow has no USB Slot )