| 10 May 2026 |
 sudoforge | so some balance between my desire for the highest level of security and "well what if i'm unavailable" needed to be found lol | 21:59:37 |
 trumee | sudoforge: i enrolled the yubikey when using disko. It did not create a receovery password. How can i open the disk manually using yubikey? This fails:
root@portable ~ [1]# cryptsetup open /dev/nvme0n1p2 --fido2-device=auto cryptdisk
Usage: cryptsetup [-?VqrvyN] [-?|--help] [--usage] [-V|--version]
[--active-name=STRING] [--align-payload=SECTORS] [--allow-discards]
[-q|--batch-mode] [--cancel-deferred] [-c|--cipher=STRING] [--debug]
[--debug-json] [--decrypt] [--deferred] [--device-size=bytes]
[--disable-blkid] [--disable-external-tokens] [--disable-keyring]
[--disable-locks] [--disable-veracrypt] [--dump-json-metadata]
[--dump-volume-key] [--encrypt] [--external-tokens-path=STRING]
[--force-password] [--force-offline-reencrypt] [--force-no-keyslots]
[-h|--hash=STRING] [--header=STRING] [--header-backup-file=STRING]
[--hotzone-size=bytes] [--hw-opal] [--hw-opal-factory-reset]
[--hw-opal-only] [--init-only] [-I|--integrity=STRING]
[--integrity-inline] [--integrity-key-size=BITS]
[--integrity-legacy-padding] [--integrity-no-journal]
[--integrity-no-wipe] [-i|--iter-time=msecs] [--iv-large-sectors]
[--json-file=STRING] [--keep-key] [--key-description=STRING]
[-d|--key-file=STRING] [-s|--key-size=BITS] [-S|--key-slot=INT]
[--keyfile-offset=bytes] [-l|--keyfile-size=bytes]
[--keyslot-cipher=STRING] [--keyslot-key-size=BITS] [--label=STRING]
[--link-vk-to-keyring=STRING] [--luks2-keyslots-size=bytes]
[--luks2-metadata-size=bytes] [--new-keyfile=STRING]
[--new-keyfile-offset=bytes] [--new-keyfile-size=bytes]
[--new-key-description=STRING] [--new-key-size=BITS]
[--new-key-slot=INT] [--new-token-id=INT]
[--new-volume-key-file=STRING] [--new-volume-key-keyring=STRING]
[-o|--offset=SECTORS] [--pbkdf=STRING]
[--pbkdf-force-iterations=LONG] [--pbkdf-memory=kilobytes]
[--pbkdf-parallel=threads] [--perf-high_priority]
[--perf-no_read_workqueue] [--perf-no_write_workqueue]
[--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus]
[--persistent] [--priority=STRING] [--progress-json]
[--progress-frequency=secs] [-r|--readonly]
[--reduce-device-size=bytes] [--refresh] [--resilience=STRING]
[--resilience-hash=STRING] [--resume-only] [--sector-size=INT]
[--serialize-memory-hard-pbkdf] [--shared] [-b|--size=SECTORS]
[-p|--skip=SECTORS] [--subsystem=STRING] [--test-args]
[--test-passphrase] [-t|--timeout=secs] [--token-id=INT]
[--token-only] [--token-replace] [--token-type=STRING]
[--tcrypt-backup] [--tcrypt-hidden] [--tcrypt-system]
[-T|--tries=INT] [-M|--type=STRING] [--unbound] [--use-random]
[--use-urandom] [--uuid=STRING] [--veracrypt] [--veracrypt-pim=INT]
[--veracrypt-query-pim] [-v|--verbose] [-y|--verify-passphrase]
[--volume-key-file=STRING] [--volume-key-keyring=STRING]
[-B|--block-size=MiB] [-N|--new] [--use-directio] [--use-fsync]
[--write-log] [--dump-master-key] [--master-key-file=STRING]
[OPTION...] <action> <action-specific>
--fido2-device=auto: unknown option
| 22:09:51 |
| sudoforge | drop --fido2-device=auto | 22:12:39 |
| trumee | It asks for passphrase which i dont have/set. | 22:13:31 |
| trumee | I should have setup a recorvery key post disko run, which i didnt. | 22:14:07 |
| trumee | Only the yubikey was enrolled. | 22:14:29 |
| sudoforge | did you explicitly disable the recovery key? this is the content.enrollRecovery option | 22:14:30 |
| trumee | yes, i disabled it. | 22:14:39 |
| trumee | So there is no way to use the yubikey token to open the disk manually? | 22:15:24 |
| trumee | I can redo the disko, and reinstall but surprised that i need to do that | 22:16:03 |
| sudoforge |
luksDump to actually verify that you only have the fido2 token- throw a
--token-only on your cli
| 22:18:54 |
| sudoforge | *
luksDump to actually verify that you only have the fido2 token as a key- throw a
--token-only on the cryptsetup-open command
| 22:19:29 |
| sudoforge | *
luksDump to actually verify that you only have the fido2 token as a key- throw a
--token-only on the cryptsetup-open command; this tells cryptsetup to not ask for a passphrase and instead use tokens
| 22:20:06 |
| sudoforge | *
luksDump to actually verify that you only have the fido2 token as a key- throw a
--token-only on the cryptsetup-open command; this tells cryptsetup to not ask for a passphrase and instead use enrolled tokens
| 22:20:16 |
| sudoforge | and 3. you should probably set content.enrollRecovery = true; | 22:22:22 |
| sudoforge | * and 3. you should probably set content.enrollRecovery = true; (doing this will require formatting your disk if you want disko to apply it, but you can also just manually add a recovery passphrase) | 22:23:01 |
| trumee | yes, i changed in disko. And doing a reinstall. | 22:26:48 |
| trumee | do i need boot.loader.systemd-boot.enable = true; for fido2 support? | 22:30:40 |
| sudoforge | uh, i've been using systemd-boot as my bootloader for far too long | 22:32:33 |
| sudoforge | so | 22:32:35 |
| sudoforge | i have no idea if grub (or whatever else you're using currently?) supports fido2 devices for unlocking encrypted volumes | 22:33:02 |
| trumee | ok, i will enable it. i am not using grub | 22:34:56 |
| sudoforge | you'll want to explicitly disable grub then | 22:35:07 |
| sudoforge | boot.loader.grub.enable = lib.mkForce false; | 22:35:21 |
| sudoforge | boot.loader.systemd-boot.enable = true; | 22:35:39 |
| sudoforge | also, you're well past the point that has anything to do with framework specifically (in fact, your initial question about which filesystem to use that would play well with hibernation wasn't framework-specific either), so i'm going to recommend / suggest that you move further generic-nix-and-nixos questions to #users:nixos.org | 22:49:18 |
| sudoforge | there is a much larger pool of people that can help you there | 22:49:37 |
| sudoforge | * i have no idea if grub (or whatever else you're using currently?) supports fido2 devices for unlocking encrypted volumes. i mean, it should just delegate to cryptsetup, so probably? | 22:55:09 |
| 11 May 2026 |
|  alanxoc3 joined the room. | 10:49:12 |
|  funzen joined the room. | 20:10:30 |
