From c9bb40b133a975607666f3be1a7ed4bcb9080478 Mon Sep 17 00:00:00 2001 From: RoepLuke Date: Thu, 21 Sep 2023 23:52:04 +0200 Subject: [PATCH] Add recommended initramfs regeneration I recently tried adding a FIDO2-Device as an unlocking method to the LUKS2 partition containing my Fedora install. When trying to do this, I stumbled upon the here edited man files detailing how to do this. I however could not unlock my partition with my FIDO2-Device after editing /etc/crypttab and rebooting. As I found out after a while, I needed to regenerate / update my currently running / used initramfs (https://unix.stackexchange.com/a/705809). This would have most likely solved itself for me with the next kernel update install (as far as I understand). So I propose changing the files edited here to recommend or at least inform the user about this. --- man/fido2-crypttab.sh | 9 +++++++++ man/tpm2-crypttab.sh | 9 +++++++++ man/yubikey-crypttab.sh | 9 +++++++++ 3 files changed, 27 insertions(+) diff --git a/man/fido2-crypttab.sh b/man/fido2-crypttab.sh index b584a13bdfb..fe7351520a6 100644 --- a/man/fido2-crypttab.sh +++ b/man/fido2-crypttab.sh @@ -10,3 +10,12 @@ sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - fido2-device= # If that worked, let's now add the same line persistently to /etc/crypttab, # for the future. sudo bash -c 'echo "mytest /dev/sdXn - fido2-device=auto" >>/etc/crypttab' + +# Depending on your distribution and encryption setup, you may need +# to manually regenerate your initramfs to be able to use +# a FIDO2-Device to unlock the partition during early boot. +# More information at https://unix.stackexchange.com/a/705809 +# On Fedora based systems: +sudo dracut --force +# On Debian based systems: +sudo update-initramfs -u diff --git a/man/tpm2-crypttab.sh b/man/tpm2-crypttab.sh index c2c7405b266..f5f6e3a43db 100644 --- a/man/tpm2-crypttab.sh +++ b/man/tpm2-crypttab.sh @@ -10,3 +10,12 @@ sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - tpm2-device=a # If that worked, let's now add the same line persistently to /etc/crypttab, # for the future. sudo bash -c 'echo "mytest /dev/sdXn - tpm2-device=auto" >>/etc/crypttab' + +# Depending on your distribution and encryption setup, you may need +# to manually regenerate your initramfs to be able to use +# a TPM2 security chip to unlock the partition during early boot. +# More information at https://unix.stackexchange.com/a/705809 +# On Fedora based systems: +sudo dracut --force +# On Debian based systems: +sudo update-initramfs -u diff --git a/man/yubikey-crypttab.sh b/man/yubikey-crypttab.sh index d74dfa5cc29..f50a3496313 100644 --- a/man/yubikey-crypttab.sh +++ b/man/yubikey-crypttab.sh @@ -26,3 +26,12 @@ sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=au # If that worked, let's now add the same line persistently to /etc/crypttab, # for the future. sudo bash -c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >>/etc/crypttab' + +# Depending on your distribution and encryption setup, you may need +# to manually regenerate your initramfs to be able to use a +# Yubikey / PKCS#11 Token to unlock the partition during early boot. +# More information at https://unix.stackexchange.com/a/705809 +# On Fedora based systems: +sudo dracut --force +# On Debian based systems: +sudo update-initramfs -u -- 2.47.3