[Touch-packages] [Bug 1983784] [NEW] LUKS-encrypted partition is not automatically unlocked at boot with fido2 key

[jean-christophe manciot]

Public bug reported:

ubuntu 22.04
systemd 249.11-0ubuntu3.4

The partition is encrypted with luks2 and a fido2 key has been enrolled.with:
systemd-cryptenroll --fido2-device=auto /dev/<device>

/etc/crypttab has been setup with:
<target_name> LABEL=<label> none fido2-device=auto

/etc/fstab has been setup with:
/dev/mapper/<target_name> /media/<folder> ext4 defaults,nofail 0 0

After the boot is complete, the partition has not been unlocked despite
the fido2 key being present during the whole boot process.

Also, a manual unlock works with:
/lib/systemd/systemd-cryptsetup attach <target_name> /dev/<device> none 
fido2-device=auto
Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/<device>
Automatically discovered security FIDO2 token unlocks volume.
Asking FIDO2 token for authentication.
👆 Please confirm presence on security token to unlock.

How to automatically unlock the partition at boot?

** Affects: systemd (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1983784

Title:
  LUKS-encrypted partition is not automatically unlocked at boot with
  fido2 key

Status in systemd package in Ubuntu:
  New

Bug description:
  ubuntu 22.04
  systemd 249.11-0ubuntu3.4

  The partition is encrypted with luks2 and a fido2 key has been enrolled.with:
  systemd-cryptenroll --fido2-device=auto /dev/<device>

  /etc/crypttab has been setup with:
  <target_name> LABEL=<label> none fido2-device=auto

  /etc/fstab has been setup with:
  /dev/mapper/<target_name> /media/<folder> ext4 defaults,nofail 0 0

  After the boot is complete, the partition has not been unlocked
  despite the fido2 key being present during the whole boot process.

  Also, a manual unlock works with:
  /lib/systemd/systemd-cryptsetup attach <target_name> /dev/<device> none 
fido2-device=auto
  Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/<device>
  Automatically discovered security FIDO2 token unlocks volume.
  Asking FIDO2 token for authentication.
  👆 Please confirm presence on security token to unlock.

  How to automatically unlock the partition at boot?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1983784/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp