Disclaimer: This is potentially a very silly / dangerous tool to use
This does NOT yet support systemd because systemd does not support keyscripts, The workaround is that the initramfs parameter forces your disk to be mounted in the initramfs, before systemd has started.
This uses some trickery in order to synthesis a static key from a U2F token because:
This tool uses the public key obtained during the register request as the LUKS privatekey, and derives the public key back from the authenticate requests using eliptic curve key recovery (http://github.com/darkskiez/eckr) on the signatures.
This tool encrypts the keyhandle optionally with the userpassphrase, and stores it in the u2f-luks.keys file. Only the correct keyhandle, passphrase and U2F token will yeild the correct key. We store a hash based on the correct key in the keyfile because the key recovery algorithm returns two candidate keys.
Most U2F tokens will blink if the correct matching password is entered.
go get -u github.com/darkskiez/u2f-luks
sudo cp $GOPATH/bin/u2f-luks /usr/local/bin
sudo cp $GOPATH/src/github.com/darkskiez/u2f-luks/initramfs-hooks/u2fkey /etc/initramfs-tools/hooks/
KEY=$(mktemp)
sudo u2f-luks -v -enroll -keyfile /etc/u2f-luks.keys >$KEY
sudo cryptsetup luksAddKey /dev/sdxx $KEY
rm $KEY
$EDITOR /etc/crypttab
# OLD
sdax_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks
# NEW
sdax_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks,initramfs,keyscript=/usr/local/bin/u2f-luks
sudo update-initramfs -u
When prompted for your password enter the 2FA password and tap the token. If you did not supply a password during enroll, you can just tap the token.
If this fails to unlock your disk, enter your previous disk encryption passphrase and press enter when prompted to touch your token.
This optional step is left as an excercise for the enthusiastic.
KEY=$(mktemp)
sudo u2f-luks -v -keyfile /etc/u2f-luks.keys >$KEY
sudo cryptsetup luksRemoveKey /dev/sdxx $KEY
rm $KEY
# Check which slots are used, 0 is often the original passphrase and 1..7 the additional keys
sudo cryptsetup luksDump /dev/sdxx
# Kill the slot for the lost token, this checks you still have a valid passphrase after
sudo cryptsetup luksKillSlot /dev/sdxx [0-7]
sudo cryptsetup luksOpen --test-passphrase /dev/sdxx
Remove the initramfs and keyscript args you added during installation
sudo update-initramfs -u