Hey everyone, I've been thinking about how nice it would be if my laptop, which has a LUKS2 encrypted /home partition, could use my WearOS watch to automatically decrypt instead of relying on TPM2, a USB YubiKey, or having to enter a passphrase. I'm looking for an alternative method where my laptop could connect to a paired Bluetooth device to retrieve the key—maybe through a file transfer that keeps the key in RAM until the decryption is complete or by using a Bluetooth challenge-and-answer mechanism. Has anyone had any experience with this kind of setup? I tried using NRf Connect on my phone, but it didn't seem to advertise properly. Any tips would be greatly appreciated!
3 Answers
Are you ready to lose access to your laptop if your watch fails or if you upgrade? Sounds risky to me.
I'm not aware of any existing solution for this, and honestly, it seems like a risky move. Opting for a TPM + PIN setup is typically much simpler and maintains your security. With secure boot coupled with custom keys, you'd be ensuring that the LUKS key can only be unsealed if your boot environment is secure and unaltered.
Totally agree! Plus, with new systemd-pcrphase features, the process is more seamless. It's worth checking out!
In theory, yes, but implementing it could be tricky! You don't have many plug-and-play solutions out there. One way could involve your kernel loading the Bluetooth module and then a hook in initramfs connecting to your watch to handle a key exchange for unlocking LUKS and your /home partition. If you want to stick to unlocking just the /home partitions, you could create a systemd service to grab the key before your login process, but you'd need to set it before graphical.target to prevent problems with the display manager during boot.
Absolutely, testing this setup sounds like a headache since reboots are frequent! But it is doable. Check out the Dropbear LUKS project if you're interested!
Definitely a challenge, especially with the challenge-response part on the WearOS device. Keeping the secret safe in a secure element is key!
Well, if LUKS is implemented, I assume you'll also have a passphrase as a backup, right?