On Thu, 14 Aug 2025 at 22:08, David Härdeman <[email protected]> wrote: > > August 14, 2025 at 4:26 PM, "Luca Boccassi" <[email protected]> wrote: > > > > > > I've been hacking on adding support for systemd-cryptenroll(1) style > > > keys to partman-crypto. > > > ... > > > It also forcefully replaces initramfs-tools with dracut (since only > > > dracut supports systemd-cryptenroll style keys). > > > > Are you 100% sure about that? I am running prebuilt ukis these days, > > but before that I had just the normal initramfs-tools and I always used > > fido2 for luks2 unlocking. It should work, cryptsetup will load the > > plugins as long as they are installed in the initrd. > > I'm not 100% sure, no. I just assumed that cryptsetup didn't support these > kinds of keys in the initramfs since it spits out warnings about unrecognised > options for e.g. "fido2-device=" cfg options in crypttab when the initramfs > is regenerated. But if it's the general consensus that systemd-cryptenroll > support is useful in debian-installer, I could certainly look into it...
cryptsetup supports these keys via the token plugins that get installed via the systemd-cryptsetup package. It complains about unknown options, but that can be ignored. > If it does indeed support it, I'd still need to figure out a way to pass > the password/PIN requests from cryptsetup to debconf, like the C utility > I wrote (in the branch I linked) for the systemd-style password agent > protocol. At boot? I don't think that is needed? Either the prompt is on the tty or in plymouth, shouldn't need anything else at boot
