Expand support for and document systemd-cryptenroll

[j0hax]

Describe the issue

The upgrade from systemd 247 to 249 recently landed in nixpkgs-unstable. Version 248 brought support for systemd-cryptenroll, which allows for automatica unlocking of LUKS2 volumes with diverse security hardware.

In my specific case, I would like to use a FIDO2 security key as described in Lennart Poettering's blog post, which requires an entry in /etc/crypttab.

Running systemd-cryptenroll correctly configures LUKS slots and tokens, and setting

environment.etc.crypttab = {
    enable = true;
    text = ''
      cryptroot /dev/sda2 - fido2-device=auto
    '';
  };

in my system configuration provides the correct file and appears to integrate with systemd when rebuilding. However I am still asked to provide a password for /dev/sda2 when rebooting with zero interaction from my security key.

Expected behavior

Unlocking LUKS at boot by confirming user presence. Ideally this could be managed by a NixOS Module such as luksroot.

Additional Context

• I am using a SoloKeys Somu, which supports U2F and FIDO2

• I believe this could be related to zfs-import services do not wait for LUKS devices to be opened (need a cryptsetup.target) #31258.

Notify maintainers

@andir @eelco @flokli @kloenk

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.10.68, NixOS, 21.11 (Porcupine)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.4pre20210908_3c56f62`
 - channels(root): `"nixos-21.11pre313466.bc06c93905f"`
 - channels(johannes): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute: cryptsetup
# a list of nixos modules affected by the problem
module: systemd

[flokli]

@j0hax you might want to take a look at #139864, which should provide some guidelines, and verify this actually works with non-root partitions and /etc/crypttab.

[flokli]

#139864 has been merged, the staging branch of nixpkgs should contain this.

Can you take a look at this and report back?

[NickCao]

Tested with tpm2 and fido2, all working as intended.

[ivankovnatsky]

(sorry for commenting on a closed issue)

I'm still being asked for the password, though the configuration went fine, Can you please share your configuration? maybe I'm just missing something?

running nixos-unstable

I have this in my config:

  environment.etc.crypttab = {
    enable = true;
    text = ''
      crypted /dev/nvme0n1p2 - tpm2-device=auto
    '';
  };

[NickCao]

I'm using nearly identical configuration, you may test the correctness of your setup with:
sudo /run/current-system/systemd/lib/systemd/systemd-cryptsetup attach crypted /dev/nvme0n1p2 - tpm2-device=auto

[ivankovnatsky]

yes, as expected:

sudo /run/current-system/systemd/lib/systemd/systemd-cryptsetup attach crypted /dev/nvme0n1p2 - tpm2-device=auto
Volume crypted already active.

did you tweak something under this config: https://github.com/ivankovnatsky/nixos-config/blob/main/hosts/thinkpad/boot.nix#L13 ?

[NickCao]

systemd-cryptsetup won't work in initrd yet

[ivankovnatsky]

ah, got it.

[flokli]

systemd in initrd is discussed at #120015 (and other issues/PRs linked to/from there)