Very unfortunatley, there is not a reasonable way to get Debian's default initramfs-tools to unlock LUKS volumes using tokens, like FIDO2 or TPM2. The best attempt to make this work using initramfs-tools is https://github.com/bertogg/fido2luks.
The most common way to handle unlocking these LUKS volumes is to use dracut to generate an initram filesystems. I'm not saying that dracut is great, but it will allow you to easily use systemd-cryptenroll tokenized luks unlock methods.
# Installing dracut will auto uninstall initramfs-tool.
sudo apt install dracut
# On Debian testing, you MUST install the systemd-cryptsetup pkg
# Without it, you might see the following:
# dracut-initqueue[625]: Failed to start cryptsetup.target: Unit cryptsetup.target not found.
sudo apt install systemd-cryptsetup
# If you have an encrypted rootfs already, you immediatly need to
# enable `hostonly` mode, so that dracut will scan your root filesystem
# and add steps to unlcok dependent luks volumes. This even works correctly
# for btrfs volumes that depend on two luks volumes for a raid1.
echo "# $USER added on $(date)" | sudo tee /etc/dracut.conf.d/options.conf
echo 'hostonly="yes"' | sudo tee -a /etc/dracut.conf.d/options.conf
# If you are going to use TPM2 functionality, do the following:
sudo apt install tpm2-tools
echo 'add_dracutmodules+=" tpm2-tss "' | sudo tee -a /etc/dracut.conf.d/options.conf
# If you are having issues, conside adding "bash" to modules list.
#sudo dpkg-reconfigure dracut
sudo dracut --regenerate-all -f
# Running "dracut -f" seems to simply generate a single initrd named initramfs-*,
# which is not the default Debian initrd naming scheme.
#sudo dracut -f
# Make sure you see output that mention the encrypted volume uuids, like the following:
# rd.luks.uuid=luks=<UUID-HERE>WARNING: Dracut does not seem to work reliably on Debian.
sudo lsinitrd /boot/initrd.img-6.9.9-amd64 -f etc/crypttab
sudo mount -t efivarfs none /sys/firmware/efi/efivars
sudo efibootmgr
# You can delete debian entries and the main debian entry will be re-added with grub install:
sudo grub-install --target=x86_64-efi
sudo update-grubsudo systemd-cryptenroll /dev/nvme2n1p3# Show list of FIDO2 devices.
systemd-cryptenroll --fido2-device=list
# Enroll one of the FIDO2 devices.
systemd-cryptenroll --fido2-device=auto --wipe-slot=fido2 /dev/vda5
# Test FIDO2 unlock. Any of these should work, the --token-only will not provide
# passphrase fallback.
sudo cryptsetup open --test-passphrase --token-only /dev/vda5
sudo cryptsetup open --test-passphrase --token-type systemd-fido2 /dev/vda5
sudo cryptsetup open --test-passphrase --token-id 0 /dev/vda5- https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/
- https://man.archlinux.org/man/systemd-cryptenroll.1#TPM2_PCRs_and_policies
- https://wiki.archlinux.org/title/Trusted_Platform_Module
sudo systemd-analyze pcrs- https://man.archlinux.org/man/systemd-stub.7#TPM_PCR_NOTES
# Show list of TPM2 devices.
systemd-cryptenroll --tpm2-device=list
# Show list of current PCR values.
# If it shows "System lacks full TPM2 support, not showing PCR state.",
# you need to install "tpm2-tools".
sudo systemd-analyze pcrs
# or
sudo tpm2_pcrread
sudo systemd-cryptenroll --tpm2-device=auto --wipe-slot=tpm2 --tpm2-pcrs=0+7 /dev/vda2If you remove all password and recovery based slots, but still have a token based auth slot, you can use the following to re-add a password key:
sudo cryptsetup luksAddKey --token-only /dev/vda3- ๐ Brave New Trusted Boot World ๐
- https://manpages.debian.org/testing/cryptsetup-bin/cryptsetup-open.8.en.html#LUKS
- https://support.nitrokey.com/t/unlocking-luks-volume-with-nitrokey-3-on-debian-12-2/5553
- The Arch crypttab format has fido and tpm options documented. See https://man.archlinux.org/man/crypttab.5.
- https://cryptsetup-team.pages.debian.net/cryptsetup/README.Debian.html
- Debian keyctl decrypt script to share passwords - https://cryptsetup-team.pages.debian.net/cryptsetup/README.keyctl.html
- https://www.blarg.ca/2023/09/27/luks-disk-encryption-with-new-gentoo-linux-install