Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?

["David Härdeman" <david@hardeman.nu>]

August 14, 2025 at 11:11 PM, "Luca Boccassi" <bluca@debian.org> wrote:
> On Thu, 14 Aug 2025 at 22:08, David Härdeman <david@hardeman.nu> wrote:
> >  I'm not 100% sure, no. I just assumed that cryptsetup didn't support these
> >  kinds of keys in the initramfs since it spits out warnings about unrecognised
> >  options for e.g. "fido2-device=" cfg options in crypttab when the initramfs
> >  is regenerated. But if it's the general consensus that systemd-cryptenroll
> >  support is useful in debian-installer, I could certainly look into it...
> 
> cryptsetup supports these keys via the token plugins that get
> installed via the systemd-cryptsetup package. It complains about
> unknown options, but that can be ignored.

Ok, I'll have a look...I'm fairly certain it didn't work in the initramfs stage
last time I checked, but that was probably 1-2 years ago and I've changed all
relevant installations to dracut since...

> > If it does indeed support it, I'd still need to figure out a way to pass
> >  the password/PIN requests from cryptsetup to debconf, like the C utility
> >  I wrote (in the branch I linked) for the systemd-style password agent protocol.
> > 
> 
> At boot? I don't think that is needed? Either the prompt is on the tty
> or in plymouth, shouldn't need anything else at boot

Nevermind, I'm tired, I was thinking of systemd-cryptenroll prompts in d-i, but
that won't change depending on the initramfs generator...