Jump to content

FIDO2 based Full Disk Encryption (FDE) on NixOS

From Official NixOS Wiki

This page is a minimalistic guide for setting up LUKS-based full disk encryption with FIDO2 pre-boot authentication (PBA) on a UEFI system using systemd-cryptenroll(1).

Configuration

1. #Install NixOS with LUKS2 enabled.

2. Setup FIDO2 device. For a new YubiKey device, a FIDO2 PIN must be set, which can be done by running Yubico Authenticator (available in yubikey-personalization), clicking Passkey section in the left menu and then clicking at the right upper corner.

3. Enroll FIDO2 device by running the following (note that LUKS partition will be automatically detected):

# sudo systemd-cryptenroll --fido2-device=auto

See systemd-cryptenroll(wiki.archlinux.org), systemd-cryptenroll(1), [1] for further information on customization including user presence, pin, and biometric user verification.

⚠︎
Warning: You may need to touch the FIDO2 device for user presence to be verified, or Failed to generate FIDO2 credential: FIDO_ERR_OPERATION_DENIED error will be raised.

4. Update the NixOS configuration following 📖︎ sec-luks-file-systems-fido2-systemd:

≡︎ /mnt/etc/nixos/configuration.nix
{
  boot.initrd = {
+    systemd.enable = true; // true by default
+    luks.fido2Support = false; // false by default
    luks.devices."$LUKS_ROOT" = {
      device = "$LUKS_PART";
+      crypttabExtraOpts = ["fido2-device=auto"];  
    };
  };
  fileSystems."/" = {
    device = "/dev/mapper/$LUKS_ROOT";
    fsType = "...";
  };
}
🟆︎
Tip: In order to affect your NixOS system by your nix-language-specific changes you must first evaluate it:
$ nixos-rebuild switch --sudo


Install NixOS with LUKS2 enabled

LUKS2 based full disk encryption can be done by checking Encrypt disk checkbox in Partitions section in the graphical installer (📖︎ sec-installation-graphical).

Alternatively, manual installation is possible as follows (See 📖︎ sec-installation-manual-partitioning-UEFI, 📖︎ https://nixos.org/manual/nixos/stable/#sec-luks-file-systems and 📖︎ sec-installation-manual-installing):

# sudo parted /dev/sda
GNU Parted 3.6
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel gpt
(parted) mkpart ESP fat32 1MB 512MB
(parted) set 1 esp on
(parted) mkpart primary 512MB 100%
(parted) quit

# EFI_PART=/dev/sda1
# LUKS_PART=/dev/sda2
# LUKS_ROOT=crypted
# sudo cryptsetup luksFormat "$LUKS_PART"
# cryptsetup luksOpen "$LUKS_PART" "$LUKS_ROOT"
# mkfs.ext4 /dev/mapper/$LUKS_ROOT

# sudo mount "/dev/mapper/$LUKSROOT" /mnt # mount luks device first
# sudo mkdir -p /mnt/boot # create mount point
# sudo mount -o umask=077 "$EFI_PART" /mnt/boot # mount efi partition next
# sudo nixos-generate-config --root /mnt
# sudo nixos-install