shimunn

It might be time to update those instructions, the credential id parameter accepts a list of one or more comma separated credentials. Which wasn't the case in earlier versions. On...

Correct On 13 September 2021 19:04:00 CEST, My1 ***@***.***> wrote: >cool. how would you write that, like this? >``` >rd.luks.2fa=,,: >``` >or how? > >-- >You are receiving this because...

That's strange, does your header contain entries such as this: ``` cryptsetup token export /dev/nvme1n1p1 --token-id 2 {"credential":["64f04c01beecf2bcca7554e8f5590fd54d246e75ac35fac2e592372b70703466c5d352dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec014463f0000"],"keyslots":["1"],"type":"fido2luks\u0000"} ``` and is the credential exactly the same as the one that...

I've updated my Solo to that same version but cannot reproduce your issue, what distro are you using?

Thanks for putting this together, I wanted to that myself for quite a while but haven't gotten to it since the scripts used for fedora still fall under the GPL...

It's just bash [this](https://github.com/shimunn/fido2luks/tree/master/initramfs-tools) just has to be ported to [dracut](https://man7.org/linux/man-pages/man7/dracut.modules.7.html) but I'll get onto it this weekend unless you beat me to it :)

I would just get rid of systemd and just use an plain old keyscript via /etc/crypttab, which is much simpler

> I didn't find any good references for keyscript on Fedora, so I started to [experiment on my own](https://github.com/suhancz/fido2luks/tree/feature/rpm). I'd appreciate if you looked into it before I submit something...

The `--pin` option isn't supposed to be used alone in non interactive mode, but in conjunction with `--pin-prefixed` like so: ``` fido2luks open /dev/sda sda-crypt --await-dev 300 --password-helper 'read -rsp...

Using `--pin` in interactive mode seems like an suboptiomal solution imo, since that won't work well with distros which use plymouth like fedora. Another solution would be to introduce an...