Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?

To: david@hardeman.nu
Cc: debian-boot@lists.debian.org
Subject: Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
From: Luca Boccassi <bluca@debian.org>
Date: Thu, 14 Aug 2025 15:26:36 +0100
Message-id: <[🔎] 7a37ba20728f9dbae2ef26207d975cc0581e5fe1.camel@debian.org>
In-reply-to: <[🔎] 6408294d11578d0db83cca818585ff2ee8028c4b@hardeman.nu>

> I've been hacking on adding support for systemd-cryptenroll(1) style
keys to partman-crypto.

Thanks for working on that

> It also forcefully replaces initramfs-tools with dracut (since only
dracut supports systemd-cryptenroll style keys).

Are you 100% sure about that? I am running prebuilt ukis these days,
but before that I had just the normal initramfs-tools and I always used
fido2 for luks2 unlocking. It should work, cryptsetup will load the
plugins as long as they are installed in the initrd.

> https://salsa.debian.org/Alphix/partman-crypto/-/tree/systemd-cryptenroll?ref_type=heads

Please hook this up with opal too - that's just luks2 as well, so
everything will work in exactly the same way, minus the admin password
that still needs to be set separately

Reply to:

Follow-Ups:
- Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
  - From: "David Härdeman" <david@hardeman.nu>

References:
- partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
  - From: "David Härdeman" <david@hardeman.nu>

Prev by Date: Re: partman-crypto: using UUID-based names for luks volumes
Next by Date: Bug#1111121: installation-reports: After install in speech synth mode, at the first login debian assistive tech are not enabled
Previous by thread: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
Next by thread: Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
Index(es):
- Date
- Thread