luksbox enroll
Add a new keyslot to an existing vault.
luksbox enroll [OPTIONS] <PATH>
Adds a new keyslot. You authenticate with an existing keyslot first (to recover the MVK), then provide the new credential to wrap that MVK under a fresh KEK.
Examples
Add a backup passphrase to a FIDO2-only vault
luksbox enroll my.lbx --passphrase
# Touch your YubiKey to unlock with slot 0
# Enter the new passphrase (twice) for the new slot
Add a second YubiKey for redundancy
luksbox enroll my.lbx --fido2 --fido2-device /dev/hidraw4
# Unlock with the existing slot (e.g. passphrase or first YubiKey)
# Touch the new YubiKey twice (enroll + assert)
Add a hybrid-PQ slot to a classical vault
luksbox kyber-init /media/usb/backup.kyber
luksbox enroll my.lbx --kind hybrid-pq --pq-hybrid /media/usb/backup.kyber
This is how you upgrade a classical vault to the post-quantum threat model without re-creating it.
Key flags
| Flag | Purpose |
|---|---|
--passphrase |
Add a passphrase keyslot |
--fido2 |
Add a FIDO2 keyslot |
--kind <KIND> |
Use a specific kind (e.g. hybrid-pq) instead of the shorthand flags |
--fido2-device <PATH> |
Pin a specific authenticator |
--pq-hybrid <PATH> |
Path to the Kyber seed file (for hybrid-PQ enrollment) |
--slot <N> |
Force the new slot to a specific index (default: first empty slot) |
A vault holds up to 8 keyslots. Trying to enroll into a full vault
fails with NoFreeSlot.