How to add a backup key?

[Janik-Haag]

Can you add a section explaining how one would add a second yubikey as a backup device?

[ElnuDev]

Wondering this as well. I'm taking a look at the options available under boot.initrd.luks.devices.*.yubikey and it really just seems like only a single yubikey is supported, unfortunately.

[Deep-Six]

Can you advise how to add at least a backup passphrase, for when your yubikey is lost?

[sgillespie]

Yeah, sorry, I think I can probably come up with something.

[Deep-Six]

Sorry @sgillespie I managed to find something in the official NixOS docs, this worked for me.

 # Be sure to delete luks.key afterwards
KEY_LENGTH=512
ITERATIONS=1000000
read -s k_user
challenge=$(head -n1 /boot/crypt-storage/default | tr -d '\n' | openssl dgst -binary -sha512 | rbtohex)
response="$(ykchalresp -2 -x $challenge 2>/dev/null)"
echo -n $k_user | pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $response > luks.key
# Now, you can pass the luks.key to any cryptsetup command. For instance,
# if you want to add another key to your setup.
cryptsetup luksAddKey /dev/nvme0n1p2 luks.key
rm luks.key

[sgillespie]

@Deep-Six That's awesome! Feel free to add that to the README somewhere