[systemd-devel] v251 cryptsetup & FIDO2
Riccardo Paolo Bestetti
pbl at bestov.io
Thu May 26 13:16:15 UTC 2022
Hi,
I just switched from using a custom glue script to systemd for FIDO2
local drive unlocking. From my own experimenting in v251, it seems to me
that the following usability issues are present in my setup (Arch Linux,
no PIN, user presence required):
- When key is not inserted at boot time, there's no prompt asking for
the key. I can see it in the journal, but it is not shown in the
console for some reason. Just the usual systemd-cryptsetup@[volume]
"job is running" line.
- Ditto for when the key is inserted and systemd is supposed to ask for
user presence verification
- There is no way to fall back to a passphrase. If I realize I don't
have my FIDO2 key with me, I have to reboot using a different kernel
command line to enter my passphrase
- For some reason, the systemd-cryptsetup@[volume] unit for the volume
containing my root partition is deactivated right before partitions
are remounted during boot
Seems to me that the first two might be caused by something being
misconfigured. Can anyone help me figure out where to look?
About the passphare fallback, I know there's Issue #19872 on GitHub for
a similar setup (PIN required, which offers a workaround.) With some
guidance (mostly, I have little idea how user interaction works in
systemd units), I would be happy to work on a patch myself.
While for the unit getting deactivated, I'm honestly not sure whether it
has been happening for some time or it's new for v251. Is it how it
should work? I'm under the impression that as long as the luks volume is
opened that unit is supposed to stay activated.
Riccardo P. Bestetti
More information about the systemd-devel
mailing list