From: RoepLuke <contact@roeper-luke.de>
Date: Thu, 21 Sep 2023 21:52:04 +0000 (+0200)
Subject: Add recommended initramfs regeneration
X-Git-Tag: v255-rc1~455
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9bb40b133a975607666f3be1a7ed4bcb9080478;p=thirdparty%2Fsystemd.git

Add recommended initramfs regeneration

I recently tried adding a FIDO2-Device as an unlocking method to the LUKS2 partition containing my Fedora install.
When trying to do this, I stumbled upon the here edited man files detailing how to do this.
I however could not unlock my partition with my FIDO2-Device after editing /etc/crypttab and rebooting.
As I found out after a while, I needed to regenerate / update my currently running / used initramfs (https://unix.stackexchange.com/a/705809).
This would have most likely solved itself for me with the next kernel update install (as far as I understand).
So I propose changing the files edited here to recommend or at least inform the user about this.
---

diff --git a/man/fido2-crypttab.sh b/man/fido2-crypttab.sh
index b584a13bdfb..fe7351520a6 100644
--- a/man/fido2-crypttab.sh
+++ b/man/fido2-crypttab.sh
@@ -10,3 +10,12 @@ sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - fido2-device=
 # If that worked, let's now add the same line persistently to /etc/crypttab,
 # for the future.
 sudo bash -c 'echo "mytest /dev/sdXn - fido2-device=auto" >>/etc/crypttab'
+
+# Depending on your distribution and encryption setup, you may need
+# to manually regenerate your initramfs to be able to use
+# a FIDO2-Device to unlock the partition during early boot.
+# More information at https://unix.stackexchange.com/a/705809
+# On Fedora based systems:
+sudo dracut --force
+# On Debian based systems:
+sudo update-initramfs -u
diff --git a/man/tpm2-crypttab.sh b/man/tpm2-crypttab.sh
index c2c7405b266..f5f6e3a43db 100644
--- a/man/tpm2-crypttab.sh
+++ b/man/tpm2-crypttab.sh
@@ -10,3 +10,12 @@ sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - tpm2-device=a
 # If that worked, let's now add the same line persistently to /etc/crypttab,
 # for the future.
 sudo bash -c 'echo "mytest /dev/sdXn - tpm2-device=auto" >>/etc/crypttab'
+
+# Depending on your distribution and encryption setup, you may need
+# to manually regenerate your initramfs to be able to use
+# a TPM2 security chip to unlock the partition during early boot.
+# More information at https://unix.stackexchange.com/a/705809
+# On Fedora based systems:
+sudo dracut --force
+# On Debian based systems:
+sudo update-initramfs -u
diff --git a/man/yubikey-crypttab.sh b/man/yubikey-crypttab.sh
index d74dfa5cc29..f50a3496313 100644
--- a/man/yubikey-crypttab.sh
+++ b/man/yubikey-crypttab.sh
@@ -26,3 +26,12 @@ sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=au
 # If that worked, let's now add the same line persistently to /etc/crypttab,
 # for the future.
 sudo bash -c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >>/etc/crypttab'
+
+# Depending on your distribution and encryption setup, you may need
+# to manually regenerate your initramfs to be able to use a
+# Yubikey / PKCS#11 Token to unlock the partition during early boot.
+# More information at https://unix.stackexchange.com/a/705809
+# On Fedora based systems:
+sudo dracut --force
+# On Debian based systems:
+sudo update-initramfs -u