Hi, I've been hacking on adding support for systemd-cryptenroll(1) style keys to partman-crypto.
I have a rough proof-of-concept [1] which I've tested in QEMU with an emulated TPM2 device. It has some rough edges, but it basically works. My first version relied on systemd-cryptsetup udebs, but that approach was: a) cumbersome, since systemd-cryptsetup udebs would require quite a lot of .udebs for dependencies b) not to the systemd maintainers liking [2] (not complaining, I understand the rationale) This version does the systemd-cryptenroll dance in the finish-install stage, using systemd-cryptenroll in /target, and a small binary which speaks the systemd "password agent" protocol, and hands the prompts over to debconf. It also forcefully replaces initramfs-tools with dracut (since only dracut supports systemd-cryptenroll style keys). This might be less extreme than it sounds if dracut becomes the standard initramfs tool post-Trixie [4]. Before I spend any more time on this, I'd like to know if this is something which could be acceptable in debian-installer or if I should shelve this little project? Cheers, David [1] https://salsa.debian.org/Alphix/partman-crypto/-/tree/systemd-cryptenroll?ref_type=heads [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110431 [3] https://systemd.io/PASSWORD_AGENTS/ [4] https://salsa.debian.org/kernel-team/meetings/-/wikis/20250730
