Gentoo > fido2

# List tokens
fido2-token -L
# Set minimum PIN length
fido2-token -S -l 12 /dev/hidraw7
# Set PIN
fido2-token -S /dev/hidraw7
# List credentials
fido2-token -L -r /dev/hidraw7
# Get credential ID of key
fido2-token -L -k login.microsoft.com /dev/hidraw7
# Delete credential by ID
fido2-token -D -i kgG5VJ7L4nP...OYSK5Rihmjbw= /dev/hidraw7

systemd-cryptenroll \
    --fido2-device=auto \
    --fido2-with-client-pin=false \
    --fido2-with-user-presence=false \
    --fido2-with-user-verification=false \
    /dev/nvme0n1p2

Note: --fido2-with-user-presence might be enforced by your FIDO2 security key, systemd-cryptenroll will then give a hint and just set it to true.

You may need to enable fido2 support in dracut initramfs, gentoo-kernel-bin does not include it by default when building the initramfs for you. To do so add the following to /etc/dracut.conf.d/fido.conf:

add_dracutmodules+=fido2

Links

• Command line management for SpearID FIDO2 Hardware Security Key
• Securing SSH Authentication with FIDO2
• Unlocking LUKS2 volumes with TPM2, FIDO2, PKCS#11 Security Hardware on systemd 248

16:53 05.01.2025 (updated on 18:50 20.04.2025)