FIDO2 (YubiKey) to unlock LUKS at boot on Fedora 36 not working
I’m trying to use FIDO2 (YubiKey 5) with Fedora 36 to unlock the LUKS volume on system boot without success as it keeps asking for the regular LUKS passphrase and not using the token to unlock the LUKS volume.
I followed Lennart Poettering’s example on his blog and used
systemd-cryptenroll to enrol the YubiKey and then modified the
/etc/crypttab file with the appropriate config.
cryptsetup luksDump shows the token is added to the LUKS header. However on system boot the Plymouth splash screen is displayed prompting for the regular LUKS passphrase to unlock the volume.
I thought Plymouth might not be displaying the prompt to enter the FIDO2 PIN, so I removed and re-added the LUKS keyslot and token with extra parameters to not require user presence or PIN:
systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=false --fido2-with-client-pin=false /dev/sda3
This still doesn’t work and it still prompts for the LUKS passphrase.
Fedora 36 is running systemd version 250.
Any ideas why FIDO2 isn’t working to unlock the LUKS volume?
dracut --regenerate-all --force
So I found the problem, I didn’t execute
dracut --regenerate-all --force after modifying
/etc/crypttab before rebooting. I believe on Debian based distros you would need to run
update-initramfs -uinstead. When requiring a FIDO2 PIN it is entered at the Plymouth interface. It looks identical to when entering a LUKS passphrase but if you hit Esc you will see the prompt asking for the FIDO2 token PIN instead.
For reference here is a complete procedure for configuring a FIDO2 token (e.g. YubiKey) to unlock a LUKS volume on a RH/Fedora distro (Note: This is only supported from systemd version 248.
systemctl --version to check.)
- View existing LUKS keyslot info. If initially configured to use only a passphrase you will see only one keyslot (slot 0) and zero tokens.
cryptsetup luksDump /dev/sda3 (Replace sda3 with whatever your block device is)
- Enroll token(s). In this example, specifying a requirement for FIDO2 PIN and user presence (e.g. ‘touch’).
systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=true --fido2-with-user-presence=true /dev/sda3
- Check LUKS token(s) and keyslots again. This time you should see an addition keyslot (slot 1) and a new token (token 0) which will also list the above parameters if specified during enrollment.
cryptsetup luksDump /dev/sda3
- Modify /etc/crypttab. By default on Fedora 36 it will be using UUIDs.
Modify so it looks like this.
luks-a6c32afd-3c35-4628-8653-5be499eaf0ce UUID=a6c32afd-3c35-4628-8653-5be499eaf0ce - fido2-device=auto
- Generate new initramfs image
dracut --regenerate-all --force
- Reboot and test. As mentioned the Plymouth splash screen will look the same but instead of entering a LUKS passphrase, enter the FIDO2 PIN instead. Or press ‘Esc’ to verify that it is actually prompting for the FIDO2 PIN, if required. If the presence requirement was specified, you will need to touch the token. The system should boot.
To remove a token from a LUKS volume.
cryptsetup token remove --token-id 0 /dev/sda3
And to remove the corresponding key slot.
systemd-cryptenroll --wipe-slot=1 /dev/sda3
A peculiarity I’ve noticed if enrolling multiple FIDO2 tokens and specifying a PIN and presence requirement is that you will need to touch the token X number of times, where X is the n’th token that’s been enrolled. E.g. If you enroll four tokens, when using the 4th enrolled token, you will need to touch it four times before the system boots. I think it’s related to this mention in SYSTEMD-CRYPTENROLL(1):
Also note that support for enrolling multiple FIDO2 tokens is
currently not too useful, as while unlocking systemd-cryptsetup cannot
identify which token is currently plugged in and thus does not know
which authentication request to send to the device.
Fedora F38 Silverblue (with systemd v253) has a similar issue, where FIDO2 security tokens do not work to unlock LUKS2 at boot-time. Only passphrase entry works.
The issue is that the required files (
libfido2.so, etcetera) are missing from the immutable F38 Silverblue
initramfs. List currently available files using
lsinitrd to verify.
It is possible to switch Silverblue to a locally generated
initramfs with added
dracut modules from
sudo rpm-ostree initramfs --enable --arg='--add' --arg='fido2'
At boot time, the Plymouth (graphical) LUKS2 passphrase prompt will be displayed as usual. To verify that PIN entry is enabled, press Esc to see the terminal prompt
Please enter LUKS2 token PIN::. Note that you can now choose to enter either a passphrase or PIN in either prompt.