{"id":68,"date":"2026-04-06T23:56:14","date_gmt":"2026-04-06T23:56:14","guid":{"rendered":"http:\/\/digitalartifex.dev\/?p=68"},"modified":"2026-04-07T16:18:41","modified_gmt":"2026-04-07T16:18:41","slug":"using-your-security-key-with-linux","status":"publish","type":"post","link":"http:\/\/digitalartifex.dev\/index.php\/2026\/04\/06\/using-your-security-key-with-linux\/","title":{"rendered":"Using Your Security Key With Linux"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In the previous guide we took a look at how to setup our security key and how to use it to login and as a verification for sudo. This time, we will take a look at one of the other uses for our key: Secure storage of private keys.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Pros<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">The pros of using a hardware key for key storage might be pretty obvious.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data Persistence<br>Since keys are stored on a separate USB device, you don&#8217;t have to worry about maintaining a backup for the event of a crash or computer hardware failure.<\/li>\n\n\n\n<li>Portability<br>Having the keys on a USB device means they are portable and can be used on any system that supports them. While this is this is true of a USB drive, there the keys are visible and can be copied by anyone with the proper permissions.<\/li>\n\n\n\n<li>Security<br>It is not <em>impossible<\/em> to dump the data of a security key and potentially decrypt it. However, it is a destructive process that requires physical access to the key and is so difficult that it is out of the realm of possibility for most of even the hardcore nerds. They would have to not only target you specifically, but also would have to be <em>really<\/em> dedicated to gaining access to the machine it protects, such as a government employee&#8217;s access to servers. Even then, you would know your key is missing and can invalidate it and setup a new one much faster than the bad-actor can crack it.<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Cons<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">The only con I can really think of is that, if used incorrectly, it can be a single point of failure. For instance, if you were to disable password logins and only had the hardware key&#8217;s ssh key, then the loss or damage of that key would result in a total lockout. You should setup your security strategy to use the hardware key as the primary authentication source, but also have backup methods such as OTP, secondary keys or a very large password. <\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Generating an SSH Key<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">The process for generating an ssh key on your hardware key is mostly the same as it is for generating any other ssh key. For older or more economical keys, you will most likely have to stick with <em>ecdsa-sk<\/em> while newer and more expensive keys can make use of the more preferred <em>ed25519-sk<\/em> key. If you are not using a key with a button or biometric input, you should skip the <em>-O verify-required<\/em> option.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">ed25519-sk<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh-keygen -t ed25519-sk -O resident -O verify-required -O application=ssh:&lt;name> -C \"your_email@example.com\"<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">ecdsa-sk<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh-keygen -t ecdsa-sk -O resident -O verify-required -O application=ssh:&lt;name> -C \"your_email@example.com\"<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>-O resident<\/em><br>This flag is required as it for registering the key on your FIDO2 device.<\/li>\n\n\n\n<li><em>-O verify-required<\/em><br>This flag is for requiring your interaction with the key during verification.<\/li>\n\n\n\n<li><em>-O application=ssh:&lt;name><\/em><br>This optional flag is used to give a label to your keys, making management easier.<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Importing Keys to a New Machine<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">If you&#8217;re recovering from a hardware failure or just need to use your keys while on another computer, you will simply need to use ssh-keygen to create the handles and import the public keys<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh-keygen -K<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Securing LUKS<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Not only can you use your FIDO2 key for passwordless login and securely storing ssh keys, but you can also use them to secure your LUKS encryption with the <em>systemd-cryptenroll<\/em> utility.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before continuing, you should already have LUKS configured and also either have setup <em>\/etc\/crypttab<\/em> or customized your initramfs. See <a href=\"https:\/\/wiki.archlinux.org\/title\/Systemd-cryptenroll#Trusted_Platform_Module\">here<\/a> for more information.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you have more than one FIDO2 key, use the following command to list them and identify the one you want.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemd-cryptenroll --fido2-device=list<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, once we know what device we are targeting, we can register the key with a LUKS slot. If you are targeting a specific device from the last step, replace <em>fido2=auto<\/em> with <em>fido2=\/dev\/hidraw<strong>X<\/strong><\/em> <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemd-cryptenroll --fido2-device=auto \/dev\/sdX<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Non-root partitions<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To also include non-root partitions, you would need to add an entry to your <em>\/etc\/crypttab<\/em> similar to the following<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>data \/dev\/sdX none fido2-device=auto<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">LVM<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To include logical volumes managed by LVM, the entry would also be very similar<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>data \/dev\/vg1\/data none fido2-device=auto<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>In the previous guide we took a look at how to setup our security key and how to use it to login and as a verification for sudo. This time, we will take a look at one of the other uses for our key: Secure storage of private keys. Pros The pros of using a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":54,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,7],"tags":[],"class_list":["post-68","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-security"],"_links":{"self":[{"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/posts\/68","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/comments?post=68"}],"version-history":[{"count":11,"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions"}],"predecessor-version":[{"id":85,"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions\/85"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/media\/54"}],"wp:attachment":[{"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/media?parent=68"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/categories?post=68"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/digitalartifex.dev\/index.php\/wp-json\/wp\/v2\/tags?post=68"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}