How to unlock LUKS volume with Yubikey (FIDO2)


I’m trying to setup my Yubikey as an additional way to unlock my root LUKS volume as described in this post.

However, the system fails to boot as it immediately fails to decrypt the volume and I have to use the rd.luks.crypttab=0 kernel command line option to make it ask for the password again. It looks like something is missing in the dracut image, but I can’t figure what it is. Anyone has experience with this kind of setup?

Thank you.

I’ve opened this bug report:

These are the most relevant log messages, I’m not sure if the FIDO2 support is not compiled in or additional libraries must be included in the initramfs image:

systemd-cryptsetup[645]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/9e4a0d32-860a-4c93-8ce8-a949e55dafe9.
systemd-cryptsetup[645]: Automatically discovered security FIDO2 token unlocks volume.
systemd-cryptsetup[645]: FIDO2 support is not installed.
1 Like