Yubikey FIDO2

https://wiki.archlinux.org/title/Universal_2nd_Factor#Data-at-rest_encryption_with_LUKS https://en.opensuse.org/SDB:LUKS2,_TPM2_and_FIDO2#Decryption_using_FIDO2_2 https://saligrama.io/blog/post/upgrading-personal-security-evil-maid/ https://bbs.archlinux.org/viewtopic.php?id=265134

Install Manjaro with disk encryption and boot to the newly installed system. Now install dependencies:

yay -S libfido2

This will install also libcbor as dependency.

Now enroll both partitions with:

systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p2
systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p3

That will prompt to press the yubikey few times.

Edit your /etc/kernel/cmdline or create if not exists by copying from /proc/cmdline and add the following parameters:

rd.luks.name=f863ebf3-8735-48c7-88b1-e7fe1b0ae8a6=root rd.luks.options=fido2-device=auto root=/dev/mapper/root