How to Unlock LUKS with YubiKey on a Linux Tablet

Using full-disk encryption on a Linux tablet is a good security practice, but it creates one practical problem: how do you enter your LUKS passphrase during boot if you do not have a physical keyboard connected?

This is especially relevant for devices such as the Star Labs StarLite MK V, a Linux-friendly tablet that can run Fedora and other desktop Linux distributions. If you want to keep the disk encrypted but avoid typing a long password on a touchscreen during early boot, a YubiKey can be used as a physical FIDO2 security key to unlock the encrypted LUKS partition.

This guide explains how to unlock LUKS with YubiKey on a Linux tablet. The setup was tested on Fedora, but the same general approach should also work on other Linux distributions that support LUKS2, systemd, FIDO2 and early-boot integration. The exact commands may differ depending on the distribution.

Why use a YubiKey to unlock a Linux tablet?

Full-disk encryption protects your data if the tablet is lost, stolen or accessed without permission. On a laptop, typing the LUKS passphrase during boot is usually not a problem because a hardware keyboard is always available.

On a tablet, the situation is different.

During early boot, before the full graphical environment starts, touchscreen support may be unavailable or unreliable. Even if an on-screen keyboard appears, typing a long encryption passphrase on a tablet can be inconvenient. This is where a YubiKey becomes useful.

Instead of relying only on keyboard input, you can configure LUKS to unlock with a FIDO2 security key. During boot, the system detects the YubiKey and asks you to touch it. The encrypted disk can then be unlocked without typing the full passphrase.

This setup makes it possible to unlock LUKS with YubiKey while keeping your encrypted Linux tablet practical to use.

This does not mean you should remove your existing LUKS password. The passphrase should remain available as a backup method in case the YubiKey is lost, damaged or not detected.

Tested hardware and system

This guide is based on a Fedora setup tested on a Linux tablet — in this case, the Star Labs StarLite MK V.

The general idea is useful for:

• Linux tablets without a permanently attached keyboard,
• convertible devices used mostly in tablet mode,
• small Linux laptops where external input is inconvenient,
• encrypted Fedora installations using LUKS2,
• users who want disk encryption without typing a passphrase at every boot.

The exact device path and configuration may vary depending on your installation.

Unlock LUKS with YubiKey: requirements

You will need:

• a Linux tablet or laptop with an encrypted LUKS2 partition,
• Fedora or a similar Linux distribution,
• systemd,
• dracut,
• a YubiKey with FIDO2 support,
• administrator access via sudo,
• the current LUKS passphrase,
• a working USB-C or USB-A connection for the YubiKey.

This guide uses Fedora commands. On other distributions, especially Ubuntu or Debian-based systems, package installation and initramfs handling may be different.

Important warning before unlocking LUKS with a YubiKey

Do not remove your existing LUKS passphrase.

YubiKey unlocking should be treated as an additional unlock method, not the only way to access your encrypted system. If the key is unavailable or the early boot environment does not detect it, the passphrase remains your recovery option.

Before testing, make sure you know the current LUKS password and that you can unlock the system manually.

Step 1. Update Fedora and install FIDO2 tools

After installing Fedora on the tablet, update the system:

sudo dnf update -y

Then install the FIDO2 tools:

sudo dnf install -y fido2-tools

These tools allow you to check whether the system detects your YubiKey correctly.

Step 2. Check whether Fedora detects the YubiKey

Connect the YubiKey to the tablet.

If your tablet has only USB-C and your YubiKey uses USB-A, use a reliable adapter. For a device like the StarLite MK V, a USB-C YubiKey is usually the most convenient option.

Run:

fido2-token -L

If the key is visible, you should see output similar to:

/dev/hidraw1: vendor=Yubico product=YubiKey FIDO+CCID

This means Fedora can see the YubiKey as a FIDO2 device.

If there is no output, check whether:

• the YubiKey is fully inserted,
• the USB adapter works,
• the key supports FIDO2,
• the fido2-tools package is installed,
• the USB port is working correctly.

Step 3. Find the encrypted LUKS partition

Use lsblk to identify the encrypted partition:

lsblk

On many modern devices, the encrypted partition may look like this:

/dev/nvme0n1p3

However, this is only an example. Your system may use a different device name, such as:

/dev/nvme0n1p2
/dev/sda3
/dev/vda3

Make sure you select the actual LUKS partition, not the EFI partition or an unencrypted boot partition.

Step 4. Check whether the partition uses LUKS2

FIDO2 enrollment with systemd-cryptenroll requires LUKS2.

Check the LUKS version:

sudo cryptsetup luksDump /dev/nvme0n1p3 | grep Version

Replace /dev/nvme0n1p3 with your actual encrypted partition.

If the output shows:

Version:        2

you can continue.

If the partition uses LUKS1, do not continue without understanding the implications. Migrating from LUKS1 to LUKS2 is possible in some cases, but it should only be done after creating a full backup.

Step 5. Add FIDO2 support to initramfs

For the YubiKey to work during boot, Fedora must be able to detect it before the full system starts. This requires adding the FIDO2 module to dracut.

Create a dracut configuration file:

echo 'add_dracutmodules+=" fido2 "' | sudo tee /etc/dracut.conf.d/fido2.conf

Then rebuild initramfs:

sudo dracut --force

This step is especially important on a tablet, because the whole point is to unlock the encrypted system before the normal desktop environment and touchscreen input are available.

Step 6. Enroll the YubiKey as a LUKS unlock method

Now add the YubiKey to the encrypted LUKS partition:

sudo systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p3

Again, replace /dev/nvme0n1p3 with the correct partition.

The system will ask for the current LUKS passphrase. Then it will ask you to touch the YubiKey.

After successful enrollment, the FIDO2 token data will be stored in the LUKS2 header.

Step 7. Edit /etc/crypttab

Now edit /etc/crypttab so Fedora knows it should try to use the YubiKey during boot.

Open the file:

sudo nano /etc/crypttab

Find the line for your encrypted root partition. It may look similar to this:

luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none

Add this option in the fourth column:

fido2-device=auto

Example:

luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none fido2-device=auto

If the line already has options in the fourth column, add fido2-device=auto after a comma.

Example:

luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none discard,fido2-device=auto

Save the file:

Ctrl+O
Enter
Ctrl+X

Step 8. Rebuild initramfs again

After changing /etc/crypttab, rebuild initramfs once more:

sudo dracut --force

Without this step, the new unlock configuration may not be included in the early boot environment.

Step 9. Reboot and test YubiKey unlocking

Reboot the tablet:

sudo reboot

Keep the YubiKey connected during boot.

If everything works correctly, Fedora should detect the YubiKey during the LUKS unlock stage and ask you to touch it. After touching the key, the encrypted partition should unlock and the system should continue booting.

This is the key benefit on a Linux tablet: you can keep full-disk encryption enabled without depending on a physical keyboard during every boot.

What if YubiKey unlocking does not work?

If the system does not unlock with the YubiKey, use your normal LUKS passphrase.

Then, after booting, check whether the key is detected:

fido2-token -L

Check the /etc/crypttab entry:

cat /etc/crypttab

Make sure the correct encrypted partition has fido2-device=auto in the fourth column.

You can also inspect enrolled unlock methods:

sudo systemd-cryptenroll /dev/nvme0n1p3

and view the LUKS header:

sudo cryptsetup luksDump /dev/nvme0n1p3

After any change to /etc/crypttab, rebuild initramfs again:

sudo dracut --force

Should you remove the LUKS password after adding YubiKey?

No.

Even if YubiKey unlocking works perfectly, the traditional LUKS passphrase should remain active. A hardware key can be lost, broken or temporarily unavailable. It is also possible that a firmware, kernel or initramfs change could affect early-boot detection.

For a Linux tablet, the YubiKey is best treated as a convenience and security improvement, not as the only recovery method.

Unlock LUKS with YubiKey: does this work only on Fedora?

This guide was tested on Fedora, but the general method is not Fedora-only.

The core components are:

• LUKS2,
• systemd,
• systemd-cryptenroll,
• FIDO2,
• an initramfs environment capable of detecting the YubiKey.

Other distributions may support a similar setup, but the exact steps can differ. Fedora uses dnf for package management and dracut for initramfs generation. Ubuntu, Debian and other distributions may require different package names or different initramfs commands.

Unlock LUKS with YubiKey: why this matters for Linux tablets

Linux tablets are still a niche category, but they are becoming more interesting for users who want open systems, privacy and control over their hardware. Devices such as the Star Labs StarLite MK V show that a tablet does not have to be limited to Android, iPadOS or Windows.

However, running a traditional Linux distribution on a tablet exposes some practical issues. Disk encryption is one of them. It is easy to recommend encrypted installations, but less convenient when the device has no built-in hardware keyboard and the early boot environment does not provide comfortable touch input.

Using a YubiKey for LUKS unlocking is a practical workaround. It keeps the encrypted setup intact while making boot-time unlocking much more usable on tablet-style hardware.

For users who want to unlock LUKS with YubiKey, this method offers a good balance between security, convenience and recovery options.

FAQ

Can I unlock LUKS with YubiKey on a Linux tablet without a keyboard?

Yes. One practical method is to use a FIDO2 security key such as a YubiKey. After configuration, the system can unlock the encrypted LUKS partition during boot when you touch the key.

Does this work with the Star Labs StarLite MK V?

This guide is written with Linux tablets such as the Star Labs StarLite MK V in mind and was tested on Fedora. The exact partition names and setup may vary depending on your installation.

Do I still need my LUKS password?

Yes. Keep the LUKS password as a backup. Do not remove it after enrolling the YubiKey.

Can I use this with Ubuntu?

Probably, but not with the exact same commands. Fedora uses dnf and dracut. Ubuntu uses a different initramfs workflow, so it needs a separate version of the guide.

Does the YubiKey replace disk encryption?

No. The YubiKey does not replace LUKS encryption. It only provides another way to unlock the encrypted partition.

What happens if I lose the YubiKey?

You should still be able to unlock the disk with your normal LUKS passphrase. This is why you should not remove the original password.

Unlock LUKS with YubiKey: summary

Using a YubiKey to unlock LUKS is especially useful on Linux tablets, where entering a disk encryption password during boot can be inconvenient or impossible without a physical keyboard.

On Fedora, the process involves installing FIDO2 tools, checking that the YubiKey is detected, enrolling it with systemd-cryptenroll, adding fido2-device=auto to /etc/crypttab, and rebuilding initramfs with dracut.

This setup allows a device such as the Star Labs StarLite MK V to keep full-disk encryption enabled while making boot-time unlocking much more practical in tablet mode.

If you want to unlock LUKS with YubiKey on a Linux tablet, this method is one of the most convenient ways to combine full-disk encryption with a keyboard-free boot experience.