Looking for Linux directory encryption tool that can use a hardware key

I’m using Opensuse Tumbleweed Gnome Wayland on an AMD laptop. I want a Linux directory or vault encryption app that can use a USB hardware key like a FIDO2 key or Yubikey. Hardware key to unlock the directory or vault.

Anyone know of such an app? I prefer a GUI app.

Currently I’m using Cryptomator but it only uses passwords.

PS: Is there a Tumbleweed Discord?

systemd-cryptsetup supports FIDO2 (or storing keys on smartcard or similar device), so one could loopback mount an image containing filesystem on LUKS2 protected by FIDO2 hardware key. I do not think there is any GUI for it.

1 Like

I’m a tech noob so a GUI app is probably the only thing I could use successfully. I’ll keep looking.

I use Veracrypt myself with a Yubikey, but I use the yubikey to store a password for that use. To my knowledge, it doesn’t have the ability to use something like a one-time token.

But an encryption system like this uses the entered key only to unlock the encryption key itself, not for the actual encryption (a rotating key wouldn’t work for any encryption mechanism that I’m aware of - which is why, for example, in Veracrypt, if you change your password, it doesn’t re-encrypt the entire device.)

1 Like

Hmmm… If I remember correctly, Veracrypt is a GUI app? That could work for a noob like me. Can Veracrypt be used to encrypt just a specified directory? Or does Veracrypt only encrypt the whole drive?

I just want to encrypt a small number of files, about 100 files. So when I create an encrypted volume in Veracrypt, I can move those 100 files into that encrypted volume? Is that the way it works?

Looks like Veracrypt is being actively maintained. Nice.

Veracrypt comes with both a CLI and a GUI.

It encrypts a “container” - it can be a full device, or it can be a single file that’s mounted (using the UI) as a filesystem - doesn’t require any special rights to mount it, since it runs in userspace.

1 Like

Cool. Sounds like it’ll have no problem with my 100 files. And sounds like I can easily add and remove files from the Veracrypt “container”? That true?

It’s just another filesystem. You have to size the container appropriately, but yeah, it’s pretty straightforward to use. Give it a try and see what you think. :slight_smile:

1 Like

Cool. Thanks for the info. Very helpful. I’m now researching more deeply into Veracrypt and Proton Drive. I’ll report back soon.

Backblaze supports Yubikey; that’s another option I’m looking into.