Jump to content

FIDO2 based Full Disk Encryption (FDE) on NixOS

From Official NixOS Wiki
Revision as of 06:33, 13 June 2026 by 34j (talk | contribs) (Add FIDO2 based Full Disk Encryption (FDE) on NixOS)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This page is a minimalistic guide for setting up LUKS-based full disk encryption with FIDO2 pre-boot authentication (PBA) on a UEFI system using systemd-cryptenroll(1).

Configuration

1. [Install NixOS with LUKS2 enabled].

2. Setup FIDO2 device. For a new YubiKey device, a FIDO2 PIN must be set, which can be done by running Yubico Authenticator (available in yubikey-personalization), clicking Passkey section in the left menu and then clicking at the right upper corner.

3. Enroll FIDO2 device by running 

# sudo systemd-cryptenroll --fido2-device=auto $LUKS_PART

where $LUKS_PART is the physical partition. See systemd-cryptenroll(wiki.archlinux.org), systemd-cryptenroll(1), [1] for further information on customization including user presence, pin, and biometric user verification.

⚠︎
Warning: You may need to touch the FIDO2 device for user presence to be verified, or Failed to generate FIDO2 credential: FIDO_ERR_OPERATION_DENIED error will be raised.

4. Update the NixOS configuration following 📖︎ sec-luks-file-systems-fido2-systemd:

≡︎ /mnt/etc/nixos/configuration.nix
{
  boot.initrd = {
+    systemd.enable = true; // true by default
+    luks.fido2Support = false; // false by default
    luks.devices."put-device-here" = {
      device = "$LUKS_PART";
+      crypttabExtraOpts = ["fido2-device=auto"];  
    };
  };
  fileSystems."/" = {
    device = "/dev/mapper/$LUKS_ROOT";
    fsType = "...";
  };
}
🟆︎
Tip: In order to affect your NixOS system by your nix-language-specific changes you must first evaluate it:
$ nixos-rebuild switch --sudo


Install NixOS with LUKS2 enabled

LUKS2 based full disk encryption can be done by checking Encrypt disk checkbox in Partitions section in the graphical installer (📖︎ sec-installation-graphical).

Alternatively, manual installation is possible as follows (See 📖︎ sec-installation-manual-partitioning-UEFI, 📖︎ https://nixos.org/manual/nixos/stable/#sec-luks-file-systems and 📖︎ sec-installation-manual-installing): 

# sudo parted /dev/sda
GNU Parted 3.6
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel gpt
(parted) mkpart ESP fat32 1MB 512MB
(parted) set 1 esp on
(parted) mkpart primary 512MB 100%
(parted) quit

# EFI_PART=/dev/sda1
# LUKS_PART=/dev/sda2
# LUKS_ROOT=crypted
# sudo cryptsetup luksFormat "$LUKS_PART"
# cryptsetup luksOpen "$LUKS_PART" "$LUKS_ROOT"
# mkfs.ext4 /dev/mapper/$LUKS_ROOT

# sudo mount "/dev/mapper/$LUKSROOT" /mnt # mount luks device first
# sudo mkdir -p /mnt/boot # create mount point
# sudo mount -o umask=077 "$EFI_PART" /mnt/boot # mount efi partition next
# sudo nixos-generate-config --root /mnt
# sudo nixos-install
Retrieved from "https://wiki.nixos.org/w/index.php?title=FIDO2_based_Full_Disk_Encryption_(FDE)_on_NixOS&oldid=32627"