Adrian Vovk

Not sure how valuable such a hookup is? On LUKS2, cryptsetup itself will use the empty password using the plugin. This is because `systemd-cryptsetup` calls `crypt_activate_by_token_pin` and tells cryptsetup to...

Sorry, I'm not completely familiar with the inner workings of cryptsetup So your concern is that cryptsetup might choose another token type (say `systemd-tpm2`), and then possibly ask for a...

Bumping. Do I have the right idea on how to implement your suggestion?

Bumping again. Still not sure how to implement what you're asking for

TODO: We need to discuss the effect this may have re: security. i.e. If we can auto-unlock the root partion on a malicious boot disk, that may be a problem...

> You have another PR for that I don't think I have a PR that is relevant to the security concern. Should I open an issue about it?

> Hmm, ok, so we already have a crypttab option try-empty-password=. It defaults to off. I think we should simply make sure the token honours that setting too We don't...

Latest force push just changes the "added in" version number from 255 to 256

This PR has been broken by https://github.com/systemd/systemd/pull/30185, and I really don't know what to do about it We need to somehow check in cryptsetup if there's a systemd-empty token enrolled,...

The solution is probably [this API in cryptsetup](https://gitlab.com/cryptsetup/cryptsetup/-/issues/777#note_1158889781), which can be used to deal w/ Lennart's concerns in #30105