LUKS decrypt with yubikey fido2 and multiple partitions

I have a clean install running Fedora 40 KDE spin. It was installed and updated this week. I’m trying to get LUKS decrypt to work using a Yubikey with FIDO2. LUKS was setup on multiple partitions during install with a password. Looking to see if I hit a bug or am just doing it wrong. This is my 2nd install after I borked the first trying to get this to work and couldn’t unlock the disks anymore.

Single disk system. Standard partitioning. LUKS is enabled on:
/ (sda4)
/home (sda3)
/var (sda5)
/var/tmp (sda6; mount options: nosuid,noexec,nodev)
SWAP (sda7)

I also have:
/boot
/boot/efi
/tmp (tmpfs; mount options: nosuid,noexec,nodev)

which are not encrypted. EFI is a “boot partition” format. The rest are ext4, tmpfs or swap.

After the install and booting I get the LUKS “password” screen, enter my password set during the install (once) and everything boots fine. All partitions mount without issue.

I created /etc/dracut.conf.d/fido2.conf with:

add_dracutmodules+=" fido2 "

and then ran sudo dracut -fv and it showed as loading the fido2 module.

I then edited /etc/crypttab and appended ,fido2-device=auto to all the lines. The luks IDs and UUIDs matchup to my actual disk partitions.

I then ran:

sudo systemd-cryptenroll --fido2-device=auto /dev/sdaX  

where X is the partition number from above. I verified with sudo cryptsetup luksDump /dev/sdaX that the 2nd slot is now set.

If I reboot and hit ESC, stick my Yubikey in I see the prompt for the LUKS “pin” password and when I enter it my yubikey does flash at me and when I “thumb” over it it seems to “move on”, but then I get an error that a dependency failed and the luks systemd -LUKS ID service failed to start. Eventually dracut times out.

If I don’t put my Yubikey in and use my password it still works to decrypt, BUT I now get prompted for the password 7 times for each partition vs. only once like I do prior to enabling the fido2 key slot.

So, did I miss a step? Do something wrong? This setup not supported? Did I hit a bug?

Can you check journalctl --no-hostname -xb to see what hit the logs?

Since / and /var are encrypted. I don’t think anything would hit the logs???

I did just try again. Hit ESC and I get a prompt for “LUKS token PIN” even when the Yubikey is not available. I put in my passphrase (not the token PIN) and then I get a prompt for the “passphrase for my disk 1” and then “disk 2”. It spins for a bit and then I get 3 more prompts for the rest.

Since I’m “testing” this. I’m going to do a re-install and just LUKS encrypt /home and a “test” partition I can mount / unmount once it’s booted. systemd seems to keep /home "locked. I can’t unmount and LUKS “close” it.

I’ll report back. Thanks.

Not so fast, I don’t think that’s necessary. Gimme a moment.


Just at a glance, Is it supposed to be

or from this article:

sudo systemd-cryptenroll --fido2-device auto so basically no = :thinking: Not sure is that’s an issue and you saw the logs it should have come up there is there was a typo.

journalctl -b -1 | grep -i luks
journalctl -b -1 | grep -i fido2

Yeah, some articles have a =auto and some have a auto (space). I think since it’s “trying” to use the fido2 key and prompting for a PIN, so I think the config is correct from that point. The command didn’t complain either way.

1 Like

So, I rebuilt. I now have a /opt and /home that are encrypted. Everything else is just a standard partition.

If I umount /opt (/dev/sda7 is the LUKS block) and the cryptsetup close the LUKS volume I can then:

sudo /usr/lib/systemd/systemd-cryptsetup attach myLuks /dev/sdc1 - fido2-device=auto

This prompts me for Please enter a LUKS2 token PIN: and then a confirmation. Then it prompts me for a Please enter security token PIN: and then a confirmation. Seems to take the same “PIN” for both although I only ever set a PIN on the “fido” part. So, not sure why it’s asking for 2.

if I do:

sudo cryptsetup open --token-only /dev/sda7 opt

I just get a “Enter token PIN:”, enter the PIN and a confirmation prompt. Neither give me an error.

However, I also don’t get a volume / device in /dev/mapper/ . So, not sure it’s actually working. Shouldn’t I get the luks-device in there?

1 Like

Hmmm, so if I do:

sudo cryptsetup open -v --token-only /dev/sda7 opt

I end up with:

Enter token PIN:
Asking FIDO2 token for authentication
...Please confirm presence on security token to unlock
Command failed with code -2 (no permission or bad passphrase)

So, I’m running via “sudo” so, it’s not a permission problem. If I put in the wrong “PIN” it tells me it can’t unlock the FIDO2 token. So, it’s “unlocking” the token, but seems to be failing at unlocking the LUKS volume.

Added fido2

running cryptsetup with debug flag gets me:

# cryptsetup 2.7.1 processing "cryptsetup open --type luks -v --debug --token-only /dev/sda7 opt"
# Verifying parameters for command open.
# Running command open.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sda7.
# Trying to open and read device /dev/sda7 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/sda7.
# Crypto backend (OpenSSL 3.2.1 30 Jan 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.1.
# Detected kernel Linux 6.8.5-301.fc40.x86_64 x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/sda7.
# Opening lock resource file /run/cryptsetup/L_8:7
# Verifying lock handle for /dev/sda7.
# Device /dev/sda7 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/sda7
# Verifying locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:966e319342e3037f0b6a35aa54e70bb6dc97e1727b9268ab37fbdf7eda70a07c (on-disk)
# Checksum:966e319342e3037f0b6a35aa54e70bb6dc97e1727b9268ab37fbdf7eda70a07c (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/sda7
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:cc89fd9222344f795a0d150f140a1ca1bb0cb5681e6e314031a4581b41cb29ef (on-disk)
# Checksum:cc89fd9222344f795a0d150f140a1ca1bb0cb5681e6e314031a4581b41cb29ef (in-memory)
# Device size 1001390080, offset 16777216.
# Device /dev/sda7 READ lock released.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Activating volume opt [keyslot -1] using token.
# dm version   [ opencount flush ]   [16384] (*1)
# dm versions   [ opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.48.0.
# Detected dm-crypt version 1.25.0.
# Detected dm-zero version 1.2.0.
# Device-mapper backend running with UDEV support enabled.
# dm status opt  [ opencount noflush ]   [16384] (*1)
# Token 0 unusable for segment 0 with desired keyslot priority 2.
# Token 1 unusable for segment 0 with desired keyslot priority 2.
# Trying to load /usr/lib64/cryptsetup/libcryptsetup-token-systemd-fido2.so.
# Loading symbol cryptsetup_token_open@CRYPTSETUP_TOKEN_1.0.
# Loading symbol cryptsetup_token_buffer_free@CRYPTSETUP_TOKEN_1.0.
# Loading symbol cryptsetup_token_validate@CRYPTSETUP_TOKEN_1.0.
# Loading symbol cryptsetup_token_dump@CRYPTSETUP_TOKEN_1.0.
# Loading symbol cryptsetup_token_open_pin@CRYPTSETUP_TOKEN_1.0.
# Loading symbol cryptsetup_token_version@CRYPTSETUP_TOKEN_1.0.
# Token handler systemd-fido2-1.0 systemd-v255 (255.4-1.fc40) loaded successfully.
# Requesting JSON for token 0.
# Token 0 (systemd-fido2) open failed with -55.
# Token 1 unusable for segment 0 with desired keyslot priority 1.
# Interactive passphrase entry requested.
Enter token PIN: 
# Activating volume opt [keyslot -1] using token.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm status opt  [ opencount noflush ]   [16384] (*1)
# Token 0 unusable for segment 0 with desired keyslot priority 2.
# Token 1 unusable for segment 0 with desired keyslot priority 2.
# Requesting JSON for token 0.
Asking FIDO2 token for authentication.
👆 Please confirm presence on security token to unlock.
# Trying to open keyslot 1 with token 0 (type systemd-fido2).
# Trying to open LUKS2 keyslot 1.
# Running keyslot key derivation.
# Reading keyslot area [0x47000].
# Acquiring read lock for device /dev/sda7.
# Opening lock resource file /run/cryptsetup/L_8:7
# Verifying lock handle for /dev/sda7.
# Device /dev/sda7 READ lock taken.
# Reusing open ro fd on device /dev/sda7
# Device /dev/sda7 READ lock released.
# Verifying key from keyslot 1, digest 0.
# Digest 0 (pbkdf2) verify failed with -1.
# Token 1 unusable for segment 0 with desired keyslot priority 1.
# Releasing crypt device /dev/sda7 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/sda7.
Command failed with code -2 (no permission or bad passphrase).
# Unloading systemd-fido2 token handler.

Did I not setup the yubikey right? In my reading it “should” use the default “Yubikey OTP” factory key and outside of adding a PIN to “fido” slots I don’t have to do anything else. Is my intial setup / enroll wrong?

1 Like