[encryptluks2]

I feel like these devices generally give the illusion of security while really giving an adversary a single device to target. As another user had suggested, using udev rules and some device encryption would likely be a much better option... if not as an alternative, at least in conjunction with something like this.

[fsflover]

> giving an adversary a single device to target

Technically, yes, but how do you target it? This is impossible to extract the private key from it.

[baseballdork]

By stealing the device.

[johntran]

It's most likely easier to brute force a password than to break into someone's house. Would be easier to demand all credentials by gunpoint with that much effort.

[baseballdork]

That's a fair point, but that's not the only attack vector. I carry my token around on my keys which makes it vulnerable to being pick pocketed or just left behind somewhere. I think the original point was that you're just shifting your single authentication factor, not necessarily making it more secure. My key is only used for 2FA so even if someone were to get access to it, they'd have to know my password as well to get use out of it.

[fsflover]

It does not scale.

[ketralnis]

It doesn't have to scale. If you're the target, they only have to target you.

[centimeter]

The overwhelming majority of hacks are dragnet, not targeted.