Howto add metadata/custom field/label to LUKS key slot/token

OlafLostViking · 2024-05-19 16:20:22

I am using multiple Nitrokeys (OSS alternative to yubikeys) to decrypt some LUKS2 managed partitions. The reason is to have some fallback in case a key breaks or gets lost. Each key gets enrolled using `systemd-cryptenroll`. This adds a new `key` slot and "links" a `token` slot to it. This token is of type `systemd-fido2` and contains the necessary FIDO2 details. So far so good.

If I now want to remove a key that broke or just check which keys have already been enrolled on a specific device, I'd need some label telling me it was key "White" or key "Blue". But how to add that...? I tried to export the token, modify the JSON and add it again. The newly added token does work with `systemd-cryptsetup`, but my added fields aren't imported...! So is cryptsetup actually aware of the semantics within the token JSON!?

So my question is now: How can I add some label or metadata to a key or token slot in the LUKS2 crypto header?

Thanks!

Last edited by OlafLostViking (2024-05-19 16:20:47)

Arch Linux

#1 2024-05-19 16:20:22

Howto add metadata/custom field/label to LUKS key slot/token

Board footer