Integrating a uTrust FIDO2 Security Key for Full Disk Encryption, Login, and Sudo Access on Fedora 42

This guide provides a step-by-step walk-through for integrating a uTrust FIDO2 security key (Identiv uTrust) with Fedora 42 to secure:

LUKS2 full disk encryption (FDE)
Graphical login (LightDM + Cinnamon)
Sudo elevation

Audience for this article
The guide is intended for instructional cybersecurity labs and intermediate Fedora users. It prioritizes PIN + Touch verification for strong security.
NOTE: Since misconfiguration can result in system lockout, readers should work only on non-production systems, maintain a fallback password, and back up all critical data before making changes.
Background
The following technology is used in this walk-through:
FIDO2 (Fast Identity Online 2) is a standard for passwordless or multi-factor authentication using hardware tokens. It relies on public key cryptography and supports PIN or biometric verification. In this setup, FIDO2 provides secure, hardware-backed authentication using a PIN and a required physical touch on the key.
LUKS2 (Linux Unified Key Setup 2) is the full-disk encryption format used in modern Linux systems.
PAM (Pluggable Authentication Modules) and Polkit (PolicyKit) control authentication for logins and privilege escalation across both GUI and CLI actions.
This guide combines these technologies to deliver end-to-end security — from full-disk decryption at boot, to graphical login, to administrative elevation with sudo.
System Overview
The following hardware/software is used in this implementation:
Hardware and Software:

Architecture: x86_64
CPU: Intel Core i7
Kernel: 6.14.9-300.fc42.x86_64
Fedora Version: Fedora 42 (Adams)
Desktop Environment: Cinnamon with LightDM

FIDO2 Key: Identiv uTrust FIDO2

Vendor/Product:

0x04e6:0x5a11

Protocol: CTAP2 / FIDO_2_0
PIN: Required
User Presence: Touch required
User Verification: PIN only (no biometrics)
Device Path:

/dev/hidraw0

Disk Setup

Btrfs on LUKS2 FDE (

/dev/sda3

)
LUKS UUID:

8b2f0322-f508-4bed-8b1e-8f05cc784d60

(this will differ on each machine)
Keyslots:
0: Passphrase (argon2id)
1: FIDO2 credential (note: in testing, only one FIDO2 key could be used at a time)

Process Flow Overview
The following phases occur during implementation:

System preparation — Install Fedora 42 with LUKS2 full-disk encryption and update packages.
Package installation — Add the development, PAM, and FIDO2 tools required for integration.
FIDO2 key enrollment — Register the key with LUKS2 for disk unlock.
PAM configuration — Enable FIDO2 authentication for login and sudo.
Polkit configuration (optional) — Extend FIDO2 support to graphical privilege prompts.
Testing and verification — Confirm PIN + Touch authentication at boot, login, and sudo elevation.

Implementation Guide
Phase 1: System Preparation

Create a clean install of Fedora 42 with Cinnamon + LightDM
During installation/partitioning configure the following:

LUKS2 Full Disk Encryption (Btrfs or ext4)
No separate /home
No auto-login
Create an admin user

Update the system: sudo dnf upgrade –refresh -y

Phase 2: Required Package Installation
Install required development and security packages:
sudo dnf install -y gcc make cmake git autoconf automake libtool pam-devel systemd-devel glibc-devel openssl-devel libfido2 libfido2-devel fido2-tools u2f-host pam-u2f pcsc-lite pcsc-lite-ccid pcsc-tools ccid opensc authselect cryptsetup pam_passwdqc fprintd-pam gnome-keyring-pam
Enable and start the PC/SC daemon for smartcard support:
sudo systemctl enable –now pcscd
Phase 3: FIDO2 Key Setup

Insert the FIDO2 key and verify it is detected: lsusbfido2-token -Lfido2-token -I /dev/hidraw0Expected output is:Identiv uTrust FIDO2 (0x04e6:0x5a11) with options rk, clientPin.
Troubleshooting considerations if the key isn’t recognized:

Ensure /dev/hidraw0 exists
Run the following to load kernel modules: sudo modprobe hid sudo modprobe hid_generic
Replug the key

If FIDO_ERR_INTERNAL (-9) occurs:

Create the plugdev group:sudo groupadd plugdevsudo usermod -aG plugdev $USER
Apply a udev rule: echo ‘KERNEL==”hidraw*”, ATTRS{idVendor}==”04e6″, ATTRS{idProduct}==”5a11″, TAG+=”uaccess”, GROUP=”plugdev”‘ | sudo tee /etc/udev/rules.d/70-u2f.rules sudo udevadm control –reload-rules && sudo udevadm trigger
Reboot: sudo reboot

Enroll the FIDO key for LUKS2: sudo systemd-cryptenroll –fido2-device=/dev/hidraw0 –fido2-with-client-pin=yes /dev/sda3
Validate enrollment:sudo cryptsetup luksDump /dev/sda3
Update /etc/crypttab:sudo nano /etc/crypttabAdd or modify:luks-… UUID UUID=… none fido2-device=auto fido2-with-client-pin=yes discard

Phase 4: PAM Configuration

Fedora’s pam-u2f package lacks pamu2fcfg. Build pamu2fcfg from source:

git clone https://github.com/Yubico/pam-u2f
cd pam-u2f
mkdir build && cd build
cmake -DBUILD_MANPAGES=OFF ..
make
sudo cp ./pamu2fcfg/pamu2fcfg /usr/local/bin/
sudo chmod +x /usr/local/bin/pamu2fcfg

Generate U2F mapping: pamu2fcfg -n -u $(whoami) -o pam://fedora | sudo tee /etc/u2f_mappingsVerify output includes +presence+pin (e.g., yourusername:3aaOH5…Base64…,M9hAf2…==,es256,+presence+pin)
Set permissions:sudo chmod 600 /etc/u2f_mappings sudo chown root:root /etc/u2f_mappings
Backup PAM files: mkdir -p ~/fido2-audit/pam sudo cp /etc/pam.d/{sudo,lightdm,cinnamon-screensaver,system-auth,password-auth,polkit-1} ~/fido2-audit/pam/
Update PAM files to include FIDO2 authentication. On this system, the working configuration is:

/etc/pam.d/sudo

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=always origin=pam://fedora appid=pam://fedora
auth required pam_unix.so
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth

/etc/pam.d/lightdm

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=always origin=pam://fedora appid=pam://fedora
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_env.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include system-auth
session optional pam_lastlog.so silent
session include postlogin

/etc/pam.d/cinnamon-screensaver

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=always origin=pam://fedora appid=pam://fedora
auth include system-auth
account include system-auth
password include system-auth
session include system-auth

Phase 5: Polkit Configuration (Optional)
Polkit GUI prompts were not enabled on my test system (no /etc/pam.d/polkit-1 and no running user agent). If you want FIDO2 for Polkit dialogs, ensure a compatible agent is running (for Cinnamon: polkit-gnome-authentication-agent-1). In testing, GUI prompts were not enabled by default and required additional configuration.”
Screensaver unlock: When the screen is locked, Fedora may default to the password prompt. Click the small two-person icon to switch to the FIDO2 method. Keep a fall-back password available. In various tests some desktop prompts did not always default to FIDO2.
Phase 6: Testing
Reboot the system
Boot screen asking for LUKS2 token PIN.
Confirm functionality
The following sequence of images shows the following:

FDE (LUKS Unlock): PIN + Touch prompt appears at boot
GUI Login (LightDM): PIN + Touch required
Sudo: sudo echo test should prompt for PIN + Touch
Cinnamon lock screen: PIN + Touch (switch input method)
Polkit: GUI software install or pkexec prompts for PIN + Touch

FDE (LUKS Unlock): PIN + Touch prompt appears at bootFIDO2 key lit up, waiting for touch to complete full-disk unlock.
GUI login PINFedora LightDM login screen prompting for FIDO2 key PIN.
GUI login key touchLogin process with FIDO2 key lit up, requiring touch to proceed.
GUI login completionLogin screen showing successful authentication, ready to “Log In.”
Sudo escalation (terminal)Example of sudo test requiring PIN + touch in terminal.
Locked screen where the user may need to click the person icon to switch back to FIDO2 login.
Confirm the fallback password login remains functional
Locked screen PIN entryRe-login screen asking for FIDO2 key PIN to unlock session.
Recovery and Backup
Backup:
mkdir -p ~/fido2-audit/pam_restorefor file in sudo lightdm cinnamon-screensaver system-auth password-auth polkit-1; do sudo cp ~/fido2-audit/pam/$file ~/fido2-audit/pam_restore/$filedone
Restore if needed using TTY or Live USB.
Emergency Login:

Use a high-entropy admin password
Store the password securely off-line or in encrypted container

Troubleshooting
Multiple FIDO2 Keys:
lsusb
sudo usbreset /dev/bus/usb/001/003
Warnings

Never test on production systems
Back up /etc/crypttab and /etc/pam.d/*
Avoid running dracut –force unless ready

Security Notes
Strengths:

Hardware-backed auth
PIN + Touch = Strong 2FA

Risks:

Loss of key
System updates may break compatibility

Recommendations:

Always keep a fall-back passphrase
Register a backup FIDO2 key
Back up /etc/u2f_mappings and test after upgrades

Performance Considerations

Component
Delay Added

Boot (FDE)
~5–10 seconds

GUI Login
~2–3 seconds

Sudo/Polkit
~1–2 seconds

Conclusion
This guide demonstrates the successful integration of a uTrust FIDO2 security key with Fedora 42 for secure authentication across LUKS2 full-disk encryption, LightDM login, and sudo elevation. The setup is stable, reproducible, and well-suited for labs or intermediate Fedora users.
Polkit integration is optional and may vary by desktop environment. In testing, GUI prompts were not enabled by default and required additional configuration.