Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
On Thu, 14 Aug 2025 at 22:08, David Härdeman <david@hardeman.nu> wrote:
>
> August 14, 2025 at 4:26 PM, "Luca Boccassi" <bluca@debian.org> wrote:
> > >
> > > I've been hacking on adding support for systemd-cryptenroll(1) style
> > > keys to partman-crypto.
> > > ...
> > > It also forcefully replaces initramfs-tools with dracut (since only
> > > dracut supports systemd-cryptenroll style keys).
> >
> > Are you 100% sure about that? I am running prebuilt ukis these days,
> > but before that I had just the normal initramfs-tools and I always used
> > fido2 for luks2 unlocking. It should work, cryptsetup will load the
> > plugins as long as they are installed in the initrd.
>
> I'm not 100% sure, no. I just assumed that cryptsetup didn't support these
> kinds of keys in the initramfs since it spits out warnings about unrecognised
> options for e.g. "fido2-device=" cfg options in crypttab when the initramfs
> is regenerated. But if it's the general consensus that systemd-cryptenroll
> support is useful in debian-installer, I could certainly look into it...
cryptsetup supports these keys via the token plugins that get
installed via the systemd-cryptsetup package. It complains about
unknown options, but that can be ignored.
> If it does indeed support it, I'd still need to figure out a way to pass
> the password/PIN requests from cryptsetup to debconf, like the C utility
> I wrote (in the branch I linked) for the systemd-style password agent protocol.
At boot? I don't think that is needed? Either the prompt is on the tty
or in plymouth, shouldn't need anything else at boot
Reply to: