diff --git a/nixos/doc/manual/configuration/luks-file-systems.xml b/nixos/doc/manual/configuration/luks-file-systems.xml
index 8a2b107e0ee8..d3007843d68b 100644
--- a/nixos/doc/manual/configuration/luks-file-systems.xml
+++ b/nixos/doc/manual/configuration/luks-file-systems.xml
@@ -37,4 +37,38 @@ Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
on an encrypted partition, it is necessary to add the following grub option:
= true;
+
+ FIDO2
+
+
+ NixOS also supports unlocking your LUKS-Encrypted file system using a FIDO2 compatible token. In the following example, we will create a new FIDO2 credential
+ and add it as a new key to our existing device /dev/sda2:
+
+
+# export FIDO2_LABEL="/dev/sda2 @ $HOSTNAME"
+# fido2luks credential "$FIDO2_LABEL"
+f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
+
+# fido2luks -i add-key /dev/sda2 f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
+Password:
+Password (again):
+Old password:
+Old password (again):
+Added to key to device /dev/sda2, slot: 2
+
+
+ To ensure that this file system is decrypted using the FIDO2 compatible key, add the following to configuration.nix:
+
+boot.initrd.luks.fido2Support = true;
+boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7";
+
+
+ You can also use the FIDO2 passwordless setup, but for security reasons, you might want to enable it only when your device is PIN protected, such as Trezor.
+
+
+boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess = true;
+
+
+
+
diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml
index 1eef4f08c4fd..af91d72fb8f2 100644
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@@ -485,6 +485,12 @@ users.users.me =
now uses the short rather than full version string.
+
+
+ It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token
+ via .
+
+
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index 0bb8396a44fc..31f1e22cda32 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -4,6 +4,7 @@ with lib;
let
luks = config.boot.initrd.luks;
+ kernelPackages = config.boot.kernelPackages;
commonFunctions = ''
die() {
@@ -139,7 +140,7 @@ let
umount /crypt-ramfs 2>/dev/null
'';
- openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fallbackToPassword, ... }: assert name' == name;
+ openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, fallbackToPassword, ... }: assert name' == name;
let
csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
@@ -387,7 +388,31 @@ let
}
''}
- ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) then ''
+ ${optionalString (luks.fido2Support && (fido2.credential != null)) ''
+
+ open_with_hardware() {
+ local passsphrase
+
+ ${if fido2.passwordLess then ''
+ export passphrase=""
+ '' else ''
+ read -rsp "FIDO2 salt for ${device}: " passphrase
+ echo
+ ''}
+ ${optionalString (lib.versionOlder kernelPackages.kernel.version "5.4") ''
+ echo "On systems with Linux Kernel < 5.4, it might take a while to initialize the CRNG, you might want to use linuxPackages_latest."
+ echo "Please move your mouse to create needed randomness."
+ ''}
+ echo "Waiting for your FIDO2 device..."
+ fido2luks -i open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase
+ if [ $? -ne 0 ]; then
+ echo "No FIDO2 key found, falling back to normal open procedure"
+ open_normally
+ fi
+ }
+ ''}
+
+ ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) then ''
open_with_hardware
'' else ''
open_normally
@@ -608,6 +633,31 @@ in
});
};
+ fido2 = {
+ credential = mkOption {
+ default = null;
+ example = "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2";
+ type = types.str;
+ description = "The FIDO2 credential ID.";
+ };
+
+ gracePeriod = mkOption {
+ default = 10;
+ type = types.int;
+ description = "Time in seconds to wait for the FIDO2 key.";
+ };
+
+ passwordLess = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Defines whatever to use an empty string as a default salt.
+
+ Enable only when your device is PIN protected, such as Trezor.
+ '';
+ };
+ };
+
yubikey = mkOption {
default = null;
description = ''
@@ -706,6 +756,15 @@ in
and a Yubikey to work with this feature.
'';
};
+
+ boot.initrd.luks.fido2Support = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Enables support for authenticating with FIDO2 devices.
+ '';
+ };
+
};
config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) {
@@ -714,6 +773,14 @@ in
[ { assertion = !(luks.gpgSupport && luks.yubikeySupport);
message = "Yubikey and GPG Card may not be used at the same time.";
}
+
+ { assertion = !(luks.gpgSupport && luks.fido2Support);
+ message = "FIDO2 and GPG Card may not be used at the same time.";
+ }
+
+ { assertion = !(luks.fido2Support && luks.yubikeySupport);
+ message = "FIDO2 and Yubikey may not be used at the same time.";
+ }
];
# actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
@@ -753,6 +820,11 @@ in
chmod +x $out/bin/openssl-wrap
''}
+ ${optionalString luks.fido2Support ''
+ copy_bin_and_libs ${pkgs.fido2luks}/bin/fido2luks
+ ''}
+
+
${optionalString luks.gpgSupport ''
copy_bin_and_libs ${pkgs.gnupg}/bin/gpg
copy_bin_and_libs ${pkgs.gnupg}/bin/gpg-agent
@@ -783,6 +855,9 @@ in
$out/bin/gpg-agent --version
$out/bin/scdaemon --version
''}
+ ${optionalString luks.fido2Support ''
+ $out/bin/fido2luks --version
+ ''}
'';
boot.initrd.preFailCommands = postCommands;
diff --git a/pkgs/tools/security/fido2luks/default.nix b/pkgs/tools/security/fido2luks/default.nix
index 0bb5a91a81a7..4682a09acf5c 100644
--- a/pkgs/tools/security/fido2luks/default.nix
+++ b/pkgs/tools/security/fido2luks/default.nix
@@ -7,19 +7,19 @@
rustPlatform.buildRustPackage rec {
pname = "fido2luks";
- version = "0.2.2";
+ version = "0.2.3";
src = fetchFromGitHub {
owner = "shimunn";
repo = pname;
rev = version;
- sha256 = "018qzbgmgm0f0d0c7i54nqqjbr4k5mzy1xfavi6hpifjll971wci";
+ sha256 = "0340xp7q6f0clb7wmqpgllllwsixmsy37k1f5kj3hwvb730rz93x";
};
buildInputs = [ cryptsetup ];
nativeBuildInputs = [ pkg-config ];
- cargoSha256 = "1kf757wxxk5h8dfbz588qw1pnyjbg5qzr7rz14i7x8rhmn5xwb74";
+ cargoSha256 = "1i37k4ih6118z3wip2qh4jqk7ja2z0v1w8dri1lwqwlciqw17zi9";
verifyCargoDeps = true;
meta = with stdenv.lib; {