According to the documentation at USB qubes | Qubes OS :
**Qubes 4.1 only:** You should also add the `usbcore.authorized_default=0` option, which prevents the initialization of non-input devices. (Qubes ships with a USBGuard configuration that allows only input devices when `usbcore.authorized_default=0` is set.)
‘usbcore.authorized_default=0’ is missing from the file /etc/qubes-rpc/policy/qubes.InputKeyboard after creating sys-usb with ‘sudo qubesctl state.sls qvm.usb-keyboard’
Is it still possible to enter the LUKS passphrase with an USB keyboard after manually adding usbcore.authorized_default=0 to the config file? The documentation section warns not to proceed if you need to enter the LUKS passphrase at startup, but this line just prevents the initialization of non-input devices which is a good thing. And why is it not entered by the salt procedure, is this a bug?
Since an error here will lock you out of Qubes, but an unsecure sys-usb config is unwanted, how to proceed?