Bug#1007268: Enable LUKS unlock with security keys (FIDO2/PKCS11) and TPM2
Michael Biebl
biebl at debian.org
Tue Mar 15 08:04:38 GMT 2022
Version: 250.2-3
systemd (250.2-3) unstable; urgency=medium
[ Luca Boccassi ]
* Build with and suggest fido2 and tpm libraries.
These are used via dlopen only if available by some tools like
systemd-cryptsetup, systemd-cryptenroll and systemd-repart,
with graceful fallbacks if they are not found.
Build-depend on them so that the features get compiled in
(apart from stage1 builds), and add appropriate Suggests.
(Closes: #991129, #1003383)
* Disable libcryptsetup-plugins.
They are new, and might not even be supported by libcryptsetup yet
* Build-depend on libssl-dev.
Required to use libfido2-dev until #1003699 is fixed
Am 15.03.22 um 08:18 schrieb Trent Lloyd:
> Package: systemd
>
> I would like to unlock LUKS encrypted disks with the new systemd-cryptsetup
> ability to unlock using security keys such as Yubikey, etc. I am primarily
> interested in the FIDO2 support personally however there is also PKCS11 and
> TPM2 support. It would be great to enable all 3 of these.
>
> An introduction/overview of the feature can be found here:
> https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
>
> The relevant options libfido2, p11kit and tpm2 are currently disabled
> in debian/rules.
>
> It seems the fido2 support was disabled in 246-1 because "This is only used by
> homed which we don't enable.” however that doesn’t apply anymore. Additionally
> the p11kit and tpm2 support was disabled in 245-1 due to being new features
> that require further review.
>
More information about the Pkg-systemd-maintainers
mailing list