This will allow you to unlock your luks encrypted disk with an fido2 compatible key
Note: This has only been tested under Fedora 30 using a Solo Key
dnf install cargo cryptsetup-devel -y
``` git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
CARGOINSTALLROOT=/usr sudo -E cargo install -f --path .
echo FIDO2LUKSCREDENTIALID=$(fido2luks credential) >> dracut/96luks-2fa/fido2luks.conf
set -a . dracut/96luks-2fa/fido2luks.conf
sudo -E fido2luks -i add-key /dev/disk/by-uuid/
sudo -E fido2luks -i open /dev/disk/by-uuid/
```
``` cd dracut
sudo make install ```
Add rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID> to GRUB_CMDLINE_LINUX in /etc/default/grub
Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using fido2luks add-key
grub2-mkconfig > /boot/grub2/grub.cfg
I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system
mkdir /boot/fido2luks/
cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/
Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header:
```
cryptsetup luksHeaderBackup /dev/disk/by-uuid/
fido2luks -i add-key --exclusive /dev/disk/by-uuid/
Remove your previous secret as described in the next section, incase you already added one.
Open /etc/fido2luks.conf and replace FIDO2LUKS_SALT=Ask with FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>
Import the new config into env:
set -a
. /etc/fido2luks.conf
Then add the new secret to each device and update dracut afterwards dracut -f
Remove rd.luks.2fa from GRUB_CMDLINE_LINUX in /etc/default/grub
```
set -a
. fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf ```