Installing Ubuntu Server 22.04.2 LTS for the first time ever on a Beelink Mini PC (SEi12). Went for the most standard installation possible. Configured using a guided storage layout; i.e.
- Use entire disk
- Set up this disk as an LVM group
- Encrypt the LVM
group with LUKS
Post install, moved the Mini PC down into my basement as I want to run it as headless. First issue I encountered was wondering why post install why no IP was being assigned by my DHCP, then realized, duh, I needed to decrypt. Started googling best ways to remotely decrypt, dropbear SSH, came across systemd-cryptenroll, noticed Yubikey support. However, despite all of my google and ChatGPT'ing; I cannot seem to figure out how to properly configure it for Yubikey decryption.
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 63.3M 1 loop /snap/core20/1822
loop1 7:1 0 111.9M 1 loop /snap/lxd/24322
loop2 7:2 0 49.8M 1 loop /snap/snapd/18357
nvme0n1 259:0 0 465.8G 0 disk
├─nvme0n1p1 259:1 0 1G 0 part /boot/efi
├─nvme0n1p2 259:2 0 2G 0 part /boot
└─nvme0n1p3 259:3 0 462.7G 0 part
└─dm_crypt-0 253:0 0 462.7G 0 crypt
└─ubuntu--vg-ubuntu--lv 253:1 0 100G 0 lvm /
On boot, it specifically asks me to enter the passphrase to decrypt dm_crypt-0, however when using cryptenroll /dev/nvme0n1p3 is the only valid /dev, I can't target dm_crypt-0
I've been following this: https://www.freedesktop.org/software/systemd/man/crypttab.html specifically:
Example 3. FIDO2 Volume Unlocking Example
The FIDO2 logic allows using any compatible FIDO2 security token that implements the "hmac-secret" extension for unlocking an encrypted volume. Here's an example how to set up a FIDO2 security token for this purpose for a LUKS2 volume, using systemd-cryptenroll(1):
# SPDX-License-Identifier: MIT-0
# Enroll the security token in the LUKS2 volume. Replace /dev/sdXn by the
# partition to use (e.g. /dev/sda1).
sudo systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p3
# Test: Let's run systemd-cryptsetup to test if this worked.
sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/nvme0n1p3 - fido2-device=auto
# If that worked, let's now add the same line persistently to /etc/crypttab,
# for the future.
sudo bash -c 'echo "mytest /dev/nvme0n1p3 - fido2-device=auto" >>/etc/crypttab'
sudo systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p3
Please enter current passphrase for disk /dev/nvme0n1p3:
Initializing FIDO2 credential on security token.
(Hint: This might require confirmation of user presence on security token.)
Please enter security token PIN:
Generating secret key on FIDO2 security token.
In order to allow secret key generation, please confirm presence on security token.
New FIDO2 token enrolled as key slot 1.
sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/nvme0n1p3 - fido2-device=auto
Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/nvme0n1p3.
Automatically discovered security FIDO2 token unlocks volume.
Please enter security token PIN: *******
Asking FIDO2 token for authentication.
Please confirm presence on security token to unlock.
Cannot use device /dev/nvme0n1p3 which is in use (already mapped or mounted).
Failed to activate with FIDO2 acquired key: Device or resource busy
