August 14, 2025 at 4:26 PM, "Luca Boccassi" <[email protected]> wrote: > > > > I've been hacking on adding support for systemd-cryptenroll(1) style > > keys to partman-crypto. > > ... > > It also forcefully replaces initramfs-tools with dracut (since only > > dracut supports systemd-cryptenroll style keys). > > Are you 100% sure about that? I am running prebuilt ukis these days, > but before that I had just the normal initramfs-tools and I always used > fido2 for luks2 unlocking. It should work, cryptsetup will load the > plugins as long as they are installed in the initrd.
I'm not 100% sure, no. I just assumed that cryptsetup didn't support these kinds of keys in the initramfs since it spits out warnings about unrecognised options for e.g. "fido2-device=" cfg options in crypttab when the initramfs is regenerated. But if it's the general consensus that systemd-cryptenroll support is useful in debian-installer, I could certainly look into it... If it does indeed support it, I'd still need to figure out a way to pass the password/PIN requests from cryptsetup to debconf, like the C utility I wrote (in the branch I linked) for the systemd-style password agent protocol. > > > > https://salsa.debian.org/Alphix/partman-crypto/-/tree/systemd-cryptenroll > > > > Please hook this up with opal too - that's just luks2 as well, so > everything will work in exactly the same way, minus the admin password > that still needs to be set separately Yeah, I haven't really checked opal yet (I lack the hardware, but I could probably do some hacks to pretend that QEMU has support), and I also need to do testing with FIDO2/PKCS#11 "hardware"...but that's exactly the kind of things that I'd work on if I had an indication that this kind of feature might be accepted into d-i (no, not meant as nagging). Another issue that I need to think more about is preseeding. Right now, it's kind of unknowable how many/which prompts will be generated by the enrolling process....("TPM2 PIN", "TPM2 PIN (repeat)", "Please touch your FIDO2 key to verify user presence", PKCS#11 may or may not require a PIN, etc), which makes it hard to come up with a sane preseed scheme. Cheers, David
