Skip to main content
Agate ships helper tasks for integrating a hardware security key into your system. These tasks cover two areas: LUKS disk encryption and KDE/system authentication, both backed by a YubiKey.
A YubiKey hardware security key is required for all tasks on this page.

LUKS disk encryption

Use these tasks to enroll or remove a YubiKey as a second factor for your LUKS-encrypted disk.

just agate-luks-setup

Configures your LUKS-encrypted partition to use a YubiKey as a second authentication factor alongside your passphrase. 
just agate-luks-setup
This operation modifies your LUKS key slots. Before running it, back up your existing LUKS recovery key or passphrase. Without a backup, losing your YubiKey could permanently lock you out of your encrypted data.

just agate-luks-remove

Removes the YubiKey from your LUKS configuration, reverting to passphrase-only authentication. 
just agate-luks-remove

KDE authentication

Use this task to configure KDE to accept a YubiKey for screen unlock and sudo authentication via PAM.

just agate-kde-setup

Configures KDE and PAM to use your YubiKey for screen unlock and login authentication. 
just agate-kde-setup

Typical setup flow

1

Enroll your YubiKey for LUKS

Run agate-luks-setup to add your YubiKey as a second factor for disk encryption. Have your current LUKS passphrase and your YubiKey ready.
just agate-luks-setup
2

Configure KDE authentication

Run agate-kde-setup to enable YubiKey-based screen unlock and sudo authentication in KDE.
just agate-kde-setup
3

Test before rebooting

Verify that screen unlock and sudo authentication work with your YubiKey while you still have an active session. Only reboot once you have confirmed the setup is working correctly.
Last modified on April 7, 2026