FIDO and Fedora: crypttab disk (LUKS) nomenclature - F37 [Q R4.2] with Nitrokey 3

There is variability in disk naming for crypttab. How do I know what kind of name to use? Thanks for your help!

one version has
nvme0n1p3_crypt UUID=xxx
another version has @w4tsn
I have
uuddev/sda3 /dev/disk/by-uuid/xxx
for line start in crypttab

[I do not write down “Centuries” “4” passwords or passphrases down. They did not “just guess.” Somehow Fire Departments have a way to bypass passwords and attack people’s computers physically when they are away from home and their computers are physically vulnerable.]

It doesn’t really matter. This is the name for the unlocked LUKS container, you can put anything you want there. In Fedora, we use luks-<UUID>.

The only reason to pay attention to this is if you use the name anywhere else to refer to the unlocked device, for example in /etc/fstab, but you should be using UUIDs in fstab as well.

@vtrefny @w4tsn There are several things going on with this topic. I changed crypttab to luks-<machineID> like suggested but when I restart, the edit is reverted back to /dev/disk/by- does not exist.
vi might take some getting used to. But I think I got it. Thing is, there is no way to regenerate dracut -f from emergency shell # “dracut: command not found.” Cant systemctl restart dev-sda-service. And how should I check fstab if I need to? Dont think I do since I am using GRUB not EFI.

The content of /etc/fstab can be seen with cat /etc/fstab similar to the way the content of any text file can be viewed.

Grub and EFI are not mutually exclusive and in fact work together. Fstab is used in almost all systems regardless of the boot method.

  1. It looks like you didn’t run dracut -f after changing the crypttab, because the change didn’t propagate to the initramfs. You need to do this from the running system, it cannot be done from the emergency console, at that point you are in the initramfs so you can’t update it.

  2. Your /etc/crypttab looks wrong, the syntax is <container name> <luks device> ... so it should be luks-2f29c8... /dev/sda3 none ... not the other way around.

@vtrefny Thank you!

That is what I was saying. So do I have to “unenroll” the FIDO USB key to get the system past boot to make the changes? Can I just remove the options at the end of crypttab? If so, couldnt an attacker just do the same thing defeating the purpose of USB key crypt?

New obstacle. Ideas?