I was looking to use FIDO2 keys to unlock a LUKS2 partition on a laptop. The Ubuntu 24.04 installation makes it easy to do "whole drive encryption" with LUKS2 with LVM inside, however this defaults to using a passphrase. Part of the use case is to make it easy to decrypt by someone else in the who has access to a FIDO2 key keyed to the laptop and do away with either insecure passphrases or complicated passphrases that nobody can seem to type in right, let alone remember / find when they need it. The thought with the Yubikey is FIDO2 can be used with strong crypto such as ed25519 and if you don't have both the physical key and the simple pin that goes with the key, you can't unlock it. Plus if the physical key gets lost or stolen, 8 failed attempts and the FIDO2 function is locked out on the key. So seems to be a good way to protect data at rest, granted the function to shut down a lost of stolen laptop remotely when it connects to the Internet next is "sold separately". (Something you can do with ESET on Windows, at least for business users, which can be handy, granted that is a TPM2 based solution.)
So anyways what I am hitting with Ubuntu 24.04 specifically when I try to go down this route is:
1. When I generate key with the command:
Code:
systemd-cryptenroll --fido2-device=auto --fido2-credential-algorithm=eddsa --fido2-with-client-pin=yes /dev/nvme0n1p8
I see the luks2 headers in the cryptsetup luksDump command, but I don't see any keys on the Yubikey 5 with the ykman fido list command. I know that fido u2f keys won't show, but this is supposed to be all fido2 here, so should show up. I can see other fido2 keys on Yubikeys with known fido2 keys on them, so I am doing the listing right.
Something of note is I am not asked for the pin when adding. Another thing that is bugging me is when I register on websites and with ssh, I can label each entry on the FIDO2 key, but I don't see any option to do this with the systemd-cryptenroll command. (The Yubikey 5 keys are working great for FIDO2 based MFA on ssh on Ubuntu 22.04 by the way. Quick and easy to setup and works just as it should and everything validates as correct when I check.)
2. To make sure I can see the prompt for the pin, I stripped out the splash screen from grub. Thought I would point this out to show I am making sure I am seeing only text on boot and so am not missing anything.
3. initramfs does not recognize the fido2 option in /etc/crypttab. So I cannot use the default initramfs command. Other people trying this use dracut, so I gave that a whirl.
4. Dracut fails to boot the system after following all instructions including hacks to get it to include appropriate fido2 libraries. It seems it doesn't even attempt to unlock the luks partition at boot, but instead goes straight to attempting to mount the LVM volume inside, so hangs and then fails. I actually played with this some in Ubuntu 22.04 and this worked with the same instructions, but I failed on getting the FIDO2 key to unlock the drive. Instead after prompting me for the FIDO2 key, it prompted me for the passphrase. So this seems to be a regression as I made it further in Ubuntu 22.04 than I did in 24.04, granted there were other hoops I had to jump through for 22.04 such as converting the luks1 partition into a luks2 partition.
5. Booting off of a recovery drive (Ubuntu 24.04 installer image), I tried to open the luks partition with the FIDO2 key. It prompts for the pin and has me do the presence detect, but then fails to unlock the partition. I think this goes back to #1 where it apparently fails to put a key on the Yubikey 5 key, so how is it supposed to unlock anything without that key entry? Of course unlocking with a passphrase works. I tried dorking around with dracut, but cannot seem to get around the regression in #4.
6. The only way I seem to be able to get the system to boot on its own is to switch it back to using the default initramfs tool and regenerate the initramfs file from this on the recovery boot. Granted, I was able to get the system to boot again. It is just it doesn't recognize the fido option and so never prompts to even try to unlock with the fido2 key.
7. The literature I have read and experiments I have done point to you cannot have 2 or more FIDO2 keys registered. Apparently the FIDO2 option is just ignored if you have two or more FIDO2 entries. This goes against the notion of redundancy and especially for the case of somebody else having a FIDO2 key to unlock the drive with.
Bookmarks