From: bluca@debian.org 
  
 On Thu, 14 Aug 2025 at 22:08, David H€€rdeman  wrote: 
 > 
 > August 14, 2025 at 4:26 PM, "Luca Boccassi"  wrote: 
 > > > 
 > > > I've been hacking on adding support for systemd-cryptenroll(1) style 
 > > > keys to partman-crypto. 
 > > > ... 
 > > > It also forcefully replaces initramfs-tools with dracut (since only 
 > > > dracut supports systemd-cryptenroll style keys). 
 > > 
 > > Are you 100% sure about that? I am running prebuilt ukis these days, 
 > > but before that I had just the normal initramfs-tools and I always used 
 > > fido2 for luks2 unlocking. It should work, cryptsetup will load the 
 > > plugins as long as they are installed in the initrd. 
 > 
 > I'm not 100% sure, no. I just assumed that cryptsetup didn't support these 
 > kinds of keys in the initramfs since it spits out warnings about 
 unrecognised 
 > options for e.g. "fido2-device=" cfg options in crypttab when the initramfs 
 > is regenerated. But if it's the general consensus that systemd-cryptenroll 
 > support is useful in debian-installer, I could certainly look into it... 
  
 cryptsetup supports these keys via the token plugins that get 
 installed via the systemd-cryptsetup package. It complains about 
 unknown options, but that can be ignored. 
  
 > If it does indeed support it, I'd still need to figure out a way to pass 
 > the password/PIN requests from cryptsetup to debconf, like the C utility 
 > I wrote (in the branch I linked) for the systemd-style password agent 
 protocol. 
  
 At boot? I don't think that is needed? Either the prompt is on the tty 
 or in plymouth, shouldn't need anything else at boot 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)