I have a clean install running Fedora 40 KDE spin. It was installed and updated this week. I’m trying to get LUKS decrypt to work using a Yubikey with FIDO2. LUKS was setup on multiple partitions during install with a password. Looking to see if I hit a bug or am just doing it wrong. This is my 2nd install after I borked the first trying to get this to work and couldn’t unlock the disks anymore.
Single disk system. Standard partitioning. LUKS is enabled on:
/ (sda4)
/home (sda3)
/var (sda5)
/var/tmp (sda6; mount options: nosuid,noexec,nodev)
SWAP (sda7)
I also have:
/boot
/boot/efi
/tmp (tmpfs; mount options: nosuid,noexec,nodev)
which are not encrypted. EFI is a “boot partition” format. The rest are ext4, tmpfs or swap.
After the install and booting I get the LUKS “password” screen, enter my password set during the install (once) and everything boots fine. All partitions mount without issue.
I created /etc/dracut.conf.d/fido2.conf
with:
add_dracutmodules+=" fido2 "
and then ran sudo dracut -fv
and it showed as loading the fido2 module.
I then edited /etc/crypttab
and appended ,fido2-device=auto
to all the lines. The luks IDs and UUIDs matchup to my actual disk partitions.
I then ran:
sudo systemd-cryptenroll --fido2-device=auto /dev/sdaX
where X
is the partition number from above. I verified with sudo cryptsetup luksDump /dev/sdaX
that the 2nd slot is now set.
If I reboot and hit ESC
, stick my Yubikey in I see the prompt for the LUKS “pin” password and when I enter it my yubikey does flash at me and when I “thumb” over it it seems to “move on”, but then I get an error that a dependency failed and the luks systemd -LUKS ID
service failed to start. Eventually dracut times out.
If I don’t put my Yubikey in and use my password it still works to decrypt, BUT I now get prompted for the password 7 times for each partition vs. only once like I do prior to enabling the fido2 key slot.
So, did I miss a step? Do something wrong? This setup not supported? Did I hit a bug?