As of yet, there is not documentation on how to use a FIDO2 key with LUKS for Atomic Desktops. There is an existing article that discusses this on non-atomic desktops:
Therefore, I believe that there should be an article that discusses this, especially since Atomic Desktops are becoming more and more popular.
I would not be able to write this article since I have yet to find the solution. Maybe there is someone that already has the solution that would be able to document it in an article?
This sounds good to me. +1. 
from me !
From Project Discussion to Fedora Magazine
+1 from me, though I have no Fido key or desire to write the post.
I can collaborate on this, I’d be willing to test anything that needs to be done. I have an abundance of FIDO2 keys.
You do seem like the correct candidate to write the post. By writing it, you will no doubt learn how to do it, and I would definitely help you write it if you like.
I do not have FIDO keys, but do use --key-file ( I have 36 currently ) with LUKS, so if you need my help just post it here.
Late to this party but I would give this a +1 as well.
I think I will include TPM2 in this article, too, since the process of decrypting is similar to FIDO2. There are minor changes to the arg’s, and I think they are both related.
Can somebody confirm that the following works with an Atomic 39 and whether or not it is consistent with Atomic 40? Please use the aforementioned article in the opening post as a guide.
rpm-ostree initramfs --enable --arg=--force-add --arg=tpm2-tss
If, in fact, the above command works on Atomic and TPM2, I might be able to modify the arg’s to get it it to work with:
rpm-ostree initramfs --enable --arg=--force-add --arg=fido2-device
Q: Are you using FIDO2 with LUKS2 or is this for a pre LUKS decryption like BIOS level?
The way it is set up is that upon install you would do LUKS2 encryption with a password. Then once you have your desktop you would do the following:
echo "add_dracutmodules+=\" fido2 \"" | sudo tee /etc/dracut.conf.d/fido2.conf add_dracutmodules+=" fido2 "
sudo systemd-cryptenroll --fido2-device auto /dev/nvme0n1p3
sudo nano /etc/crypttab append fido2-device=auto
sudo rpm-ostree initramfs...
OR
echo "add_dracutmodules+=\" tpm2-tss \"" | sudo tee /etc/dracut.conf.d/tpm2.conf add_dracutmodules+=" tpm2-tss "
sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "0+1+2+3+4+5+7+9" /dev/nvme0n1p3
sudo nano /etc/crypttab append tpm2-device=auto,tpm2-pcrs=0+1+2+3+4+5+7+9
sudo rpm-ostree initframfs...
Looks good.
I just need somebody’s help with the proper rpm-ostree initramfs command…I haven’t been able to figure that one out.
Just a random thought, since it’s OStree, is that even possible in /etc/*
TL;DR all edits are kept unless you rollback.
Yes, each deployment has its own independent copy of /etc/* meaning that if you rollback, the changes to that copy will be rolled back. But, if you do make changes to /etc/* and upgrade, the defaults of the new deployment will be merged with your current copy of /etc/* so the modifications will be kept. In the end, unless you rollback, changes will be kept.
Useful tidbit to note for the article too.
Draft is in Wordpress, for those of you who are interested. I still need to confirm that all of the commands are correct with testing.
This is the error I get when trying to do
$ rpm-ostree initramfs --enable --arg=--force-add --arg=fido2-device
error: bwrap(rpmostree-dracut-wrapper): Child process killed by signal 1