unlocking LUKS root partition with FIDO2 Yubikey (and ideally without dracut)

Question

I enrolled my FIDO2 Yubikey device as a way to unlock my encrypted partition:

/etc/crypttab

dm_crypt-0 UUID=78768999-69dd-44ba-8858-dd0c2ecbc2b5 none luks
dm_crypt-0 UUID=78768999-69dd-44ba-8858-dd0c2ecbc2b5 none fido2-device=auto

Yay. Now I also want to do this at boot, but my changes in /etc/crypttab aren't recognised by initramfs:

ignoring unknown option 'fido2-device'

Various guides exist for Arch Linux and Ubuntu that almost all involve switching from initramfs-tools to dracut. But this has repeatedly left me stranded with an initramfs or emergency shell after which I had to spend a lot of time repairing my initramfs.

Extra bonus points if I can also use the Yubikey as 2FA in addition to entering my password.

score 0 · Answer 1 · answered Aug 07 '24 at 09:34

With Ubuntu 24.04, I could do it with dracut quite easily :

sudo systemd-cryptenroll /dev/mypart --fido2-device=auto

Change /etc/crypttab to add fido2-device=auto in the 4th column

myvolume /dev/mypart - fido2-device=auto

Install dracut with hostonly=yes (the system won't boot without this option, see this bug)

sudo mkdir /etc/dracut.conf.d
echo 'hostonly="yes"' | sudo tee /etc/dracut.conf.d/hostonly.conf
sudo apt install dracut

1 Answers1