August 14, 2025 at 11:11 PM, "Luca Boccassi" <[email protected]> wrote: > On Thu, 14 Aug 2025 at 22:08, David Härdeman <[email protected]> wrote: > > I'm not 100% sure, no. I just assumed that cryptsetup didn't support these > > kinds of keys in the initramfs since it spits out warnings about > > unrecognised > > options for e.g. "fido2-device=" cfg options in crypttab when the initramfs > > is regenerated. But if it's the general consensus that systemd-cryptenroll > > support is useful in debian-installer, I could certainly look into it... > > cryptsetup supports these keys via the token plugins that get > installed via the systemd-cryptsetup package. It complains about > unknown options, but that can be ignored.
Ok, I'll have a look...I'm fairly certain it didn't work in the initramfs stage last time I checked, but that was probably 1-2 years ago and I've changed all relevant installations to dracut since... > > If it does indeed support it, I'd still need to figure out a way to pass > > the password/PIN requests from cryptsetup to debconf, like the C utility > > I wrote (in the branch I linked) for the systemd-style password agent > > protocol. > > > > At boot? I don't think that is needed? Either the prompt is on the tty > or in plymouth, shouldn't need anything else at boot Nevermind, I'm tired, I was thinking of systemd-cryptenroll prompts in d-i, but that won't change depending on the initramfs generator...
