diff --git a/hw/orion/hardware-configuration.nix b/hw/orion/hardware-configuration.nix
index 526c737..542a983 100644
--- a/hw/orion/hardware-configuration.nix
+++ b/hw/orion/hardware-configuration.nix
@@ -19,7 +19,13 @@
       fsType = "ext4";
     };
 
-  boot.initrd.luks.devices."luks-5c5e94fc-f710-4578-a5f6-3a244efe5d3b".device = "/dev/disk/by-uuid/5c5e94fc-f710-4578-a5f6-3a244efe5d3b";
+  boot.initrd.luks.devices."luks-5c5e94fc-f710-4578-a5f6-3a244efe5d3b" = {
+    device = "/dev/disk/by-uuid/5c5e94fc-f710-4578-a5f6-3a244efe5d3b";
+    crypttabExtraOpts = [
+      "fido2-device=auto"
+      "token-timeout=10"
+    ];
+  };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/B165-2F51";
diff --git a/hw/rift/default.nix b/hw/rift/default.nix
index a0ef133..d310d93 100644
--- a/hw/rift/default.nix
+++ b/hw/rift/default.nix
@@ -8,6 +8,12 @@
   ];
 
   config = {
+    # FIDO2 LUKS unlock (matches vade setup)
+    boot.initrd.luks.devices."crypted".crypttabExtraOpts = [
+      "fido2-device=auto"
+      "token-timeout=10"
+    ];
+
     # Allow rootless containers (Podman) to bind port 53 for CoreDNS (MCNS precursor).
     boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;