Hey community and Purism devs,
I appreciate your work in every aspect of having a reasonable secure computing device and partnering with Nitrokey was a very clever move in my opinion.
I’ve followed the git of heads and the blog posts from Kyle that having a usb-smartcard, like the Nitrokey Pro 2, improves the security in terms of having an untampered system. (verifying the signatures of /boot files)
With my current system, I’m using a Yubikey with yubikey-luks, which uses a combination of a secret generated on the Yubikey (HOTP based) and the password itself, the usecase differs a lot if you try to compare both methods (boot verification, second factor). But there’s also a project which sounds quite similar to yubikey-luks but I can’t verify if it works the same way because I don’t have a Nitrokey for now (but I’m planning to replace my notebook on january next year and to order the Librem Key addon with it)
My question now is: Is it possible to use the Nitrokey for the boot verification process AND configuring it as a second-factor similar to the usecase I’m already using via the Yubikey?
I’m very paranoid in terms of my notebook and see the password as a weak link (shoulder surfing you know…), but combined with a hardware key (which would be already there to verify /boot) it would counter this threat.