@1000101 To test it, follow the documentation to create your credentials and configure your system then run nixos-rebuild switch -I nixpkgs=https://github.com/mmahut/nixpkgs/archive/fido2luks.tar.gz.

@1000101 To test it, follow the documentation to create your credentials and configure your system then run nixos-rebuild switch -I nixpkgs=https://github.com/mmahut/nixpkgs/archive/fido2luks.tar.gz.

It works great with latest 5.4.x (5.4.11) kernel but when trying with stable 4.19.x (4.19.95) the prompt gets stuck waiting for additional entropy from the user (even with passwordless setup).

Indeed, the problem with < 5.4 kernels is that when the system is booting and fido2luks is run during the initrd process, it can take several seconds to initialize because of limited entropy from the pool.

This has been greatly fixed with random: try to actively add entropy rather than passively wait for it
that is in 5.4.

For now, I will just create a warning for end users to suggest using linuxPackages_latest with this option.

Let's wait until this change is released: shimunn/fido2luks@c4e0841

It adds --await-dev which waits for the device if not connected (default is 15 seconds). We can then get rid of the shell script doing the same (function wait_fido2key).

@mmahut upstream just released 0.2.3, so we are good to go! \o/ https://github.com/shimunn/fido2luks/tags

I've tried this but it doesn't work with any of the Yubikeys in the office.

For yubikey 5 it prints:

fido2luks credential  "HELLO"
authenticator error: Error while decoding CBOR from device.

I am not sure whether Yubikey 5 supports FIDO2 hmac-secret extension.

Yes it does... I use FIDO2 support for it in many places including Microsoft Hello + Bitlocker (Which uses the same extensions as this tool)

https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2hx8dol including the required hmac-secret extension https://support.yubico.com/support/solutions/articles/15000027138-yubikey-5-2-3-enhancements-to-fido-2-support

@arianvp are you sure your key has the required firmware version 5.2.3?

Yes all our keys are updated to 5.2.4

I've opened an upstream issue. I don't think we can do much here. shimunn/fido2luks#10

Hope we can fix it there (and backport it to 20.03)

Perhaps we could instead base this module on https://github.com/mjec/fido2-hmac-secret ?

It's actively used in Arch and based in the libfido2 library that is maintained by Yubikey. I have a bit more faith in it working than an experimental rust ctap implementation that isn't too actively maintained

implementation that isn't too actively maintained

These are pretty strong words. Last commit to that repo was 19 days ago, while the module you are suggesting has the last commit in February.

Sorry my wording could've been clearer and less strong. Thanks for calling me out on that.

I wasn't talking about fido2luks vs fido2-hmac-secret but about the dependencies they depend on that implement the interesting bits.
I was comparing https://github.com/Yubico/libfido2 and https://github.com/shimunn/ctap here .

where libfido2 seems more actively maintained and battle-tested (and also already used by the openssh that we package).

Anyhow lets hope I can help debug with the fido2luks author to see if we can get it working on Yubikey 5.

Thanks for helping debugging