Unlocking LUKS2 with a usb key

Has anyone managed to get to unlock LUKS using a secured key ?
There is this thread, but it focuses on YubiKey, while so many other key exists.
I personally use TrustKey (the G320H model)
Most, if not all, keys should be working the same way, they generate a unique code which unlock whatever has been programmed to respond to it.
Any hint, idea, suggestion ? (no rush, I’m waiting for version 4.2 to resume my installation attempt)
Thks !

You are trying to solve with software a hardware issue. There are several ways to go around.

  1. SmartCards have been around for decades.
  2. Contact your hardware/motherboard manufacturer for BIOS with SSD hardware encryption. All of them make it but do not distribute it …
    There are lots of options but not available to the masses.

TY for your message, but I don’t see how this is relevant ?

I have a hardware key, and want to use it as such. Yes, ultimately it is a software relation, same as a keyboard is hdw but send software keys

So … still waiting for someone with knowledge on Security Keys to step-in :slight_smile:


Einstein you have decades to wait. If you know and understand what you are doing (doubt it), look into Linux boot and reprogram your BIOS for your key.

1 Like

You are doubting right, I don’t know how it works inside (obvious ! right ?)

I don’t want to unlock the BIOS with the key, but the LUKS, so in my mind, something like Qubes asking for the key at boot up, as an option in the password prompt page

Is that something realistically impossible ?

With Qubes 4.2 dom0’s Fedora 37 will be supporting the enrollment of FIDO2 keys, but there’s still the problem of dom0 not having access to usb devices by default…so unless you want to remove that security measure you’ll have to wait for official QubesOS support for this.

Relevant discussion:


Thks a lot !
As I’m already waiting for 4.2 to (finally !) install Q. … I’ll keep at it

Giving dom0 permanent access to USB … since my Laptop doesn’t move out of the house, or maybe the occasional twice a year, and nobody access it here, I’m not sure how much of a threat that would be ?

Someone in the Fedora community should have the answer. I have been testing on F37 before trying Dom0. Good thing. It looks like I will have to cycle though in and out of emergency shell a few times to find the right disk nomenclature for crypttab if there isnt some other missing step like forming sym links.

Until then, a psychic malevolent fire department could steal our Centuries strong passwords and frame our computers if we leave them unguarded at home our when they are out of our watchful eye. How do they do it? Must get help from Tailored Access Ops. I am interested in eventually getting measured boot like HEADS can. That is more parsimoniously useful to people who don’t know the FD. Otherwise, you could have someone mail your security key to you after you successfully pass totalitarian check points. You could parental control access to a computer also with security key LUKS lock. Anyway, cool thing to learn how to do. You could physically lock servers as well as remotely administer them with USB keys.

1 Like

Making some progress. You’ll save a lot of time doing it right the first time and not having to get out of emergency shell.

1 Like

Nitro forum update. Questions about bypass booting, dm-crypt, login instability.