Librem 5 - Unlock LUKS volume with a FIDO2 device

Hello here!

I am back at testing my Librem 5 for daily usage, encryption is a big part of that for me.

My next question is about how to use the a device similar to the Yubikey to unlock the LUKS volume (a little like the Librem Key would do I suppose).

As soon as the guides get to systemd-cryptenroll --fido2-device=auto /dev/XXXX I am stuck as I cannot find systemd-crptenroll and the package is not present in the package list.

What should I be looking into?



Digging a little deeper it requires LUKS2 according to this guide and by doing sudo cryptsetup status /dev/mapper/crypt_root I see that my setup is LUKS1

In the meantime let me investigate further


Another thing to look into is unlocking the LUKS volume with the OpenPGP card. That has similarities and differences, as compared with an external key.

How did you end up with LUKS1? Is that what it is defaulting to if you flash the LUKS variant? It looks as if you can attempt to convert from LUKS1 to LUKS2.

LUKS1 is the default with my stock pre-installed Librem5 image.
I will surely try to convert to LUKS2

If it doesn’t work you might have to reinstall, make sure you’re prepared for that just in case.

To use the OpenPGP card you need a lot of infrastructure: GnuPG, pcscd daemon, … and they are all on the volume you want to unlock.

1 Like

Before looking at converting LUKS1 to LUKS2 you should probably check the systemd version running on the Librem 5, the feature you need is available from systemd version 248 and above, IIRC the Librem 5 currently use systemd version 247.

Things may have changed as I haven’t looked at this type of thing for about a year or so but, one difference between LUKS1 and LUKS2 is the header size, when you use the standard utils to convert LUKS1 to LUKS2 although the converted container is LUKS2 the LUKS2 header sits in the original disk space of the LUKS1 header this means that you don’t get a full LUKS2 header and some LUKS2 features don’t work. I suspect that the FIDO2 capabilities require a full LUKS2 header so even after converting LUKS1 to LUKS2 it may not work.

There is no defaulting to LUKS1, LUKS1 is all that is available, you can specify LUKS or not for the image but you don’t get a choice it LUKS1 or nothing.

When I flash a Librem 5 with an luks variant image file, I change the container to LUKS2 (and up the key size) before flashing the image to the phone. This gives me a LUKS2 container with the full header, but the main reason is that I am more familiar, and have had more success, with data recovery from LUKS2 containers than LUKS1.

It’s not much different from any other distro, the only tricky part is hooking into OSK SDL for handling pin/passphrase entry. I’m sure there a few examples of people doing just that on the PinePhone which would provide the pointers.

1 Like

Hi @antonionardella,
did you try / manage to use your FIDO2 device with the librem5?

I would be very interested of your results. I am also owning a FIDO2 device using it to decrypt my desktop devices. As I created a rather long encryption password this would be a convenient way to startup my phone. However I don’t want to brick my phone - so if you already made your experience - sharing would be appreciated.

As the question arose during the thread - my librem 5 has systemd version 247.

Kind regards

1 Like