Unlocking LUKS2 with a usb key

Has anyone managed to get to unlock LUKS using a secured key ?
There is this thread, but it focuses on YubiKey, while so many other key exists.
I personally use TrustKey (the G320H model)
Most, if not all, keys should be working the same way, they generate a unique code which unlock whatever has been programmed to respond to it.
Any hint, idea, suggestion ? (no rush, I’m waiting for version 4.2 to resume my installation attempt)
Thks !

You are trying to solve with software a hardware issue. There are several ways to go around.

  1. SmartCards have been around for decades.
  2. Contact your hardware/motherboard manufacturer for BIOS with SSD hardware encryption. All of them make it but do not distribute it …
    There are lots of options but not available to the masses.

TY for your message, but I don’t see how this is relevant ?

I have a hardware key, and want to use it as such. Yes, ultimately it is a software relation, same as a keyboard is hdw but send software keys

So … still waiting for someone with knowledge on Security Keys to step-in :slight_smile:


Einstein you have decades to wait. If you know and understand what you are doing (doubt it), look into Linux boot and reprogram your BIOS for your key.

1 Like

You are doubting right, I don’t know how it works inside (obvious ! right ?)

I don’t want to unlock the BIOS with the key, but the LUKS, so in my mind, something like Qubes asking for the key at boot up, as an option in the password prompt page

Is that something realistically impossible ?

With Qubes 4.2 dom0’s Fedora 37 will be supporting the enrollment of FIDO2 keys, but there’s still the problem of dom0 not having access to usb devices by default…so unless you want to remove that security measure you’ll have to wait for official QubesOS support for this.

Relevant discussion:


Thks a lot !
As I’m already waiting for 4.2 to (finally !) install Q. … I’ll keep at it

Giving dom0 permanent access to USB … since my Laptop doesn’t move out of the house, or maybe the occasional twice a year, and nobody access it here, I’m not sure how much of a threat that would be ?