Google Distributed Cloud (GDC) air-gapped appliance uses Linux Unified Key Setup (LUKS) based disk encryption with Yubikeys.
For each GDC air-gapped appliance, three or more Yubikeys are shipped separately to the customer. The Yubikeys are FIPS 140-2 certified. For more information on the Yubikey model, see https://www.yubico.com/product/yubikey-5-nano-fips/.
The USB ports on each server blade of the device are enabled with USB dongles. The Yubikeys are inserted into the server machines as part of the device setup. After the installation completes, the Yubikeys must stay in the server until you remove them for transport or you return the system. Ensure that the Yubikeys are transferred separately from the appliance to protect against server theft.