Hi CentOS team,
By the RPM spec files, (https://gitlab.com/redhat/centos-stream/rpms/systemd/-/blob/c9s/systemd.spec...), FIDO2 support is disabled in systemd. FIDO2 support is very useful for automatic decryption of LUKS partitions with systemd-cryptsetup. This would allow for external security keys (such as a Yubikey) to decrypt drives with no user interaction. Currently, the current systemd configuration supports only TPM and GPG. In older devices that don't support TPM, the only option for no-interaction FDE decryption is to use GPG (which still requires a key access password to be remotely secure).
As far as I can tell, there is no barrier to enable FIDO2 support. Please let me know if I am mistaken.
Thanks, Ersei
On Fri, Jan 20, 2023 at 3:00 PM Ersei Saggi via CentOS-devel centos-devel@centos.org wrote:
Hi CentOS team,
By the RPM spec files, (https://gitlab.com/redhat/centos-stream/rpms/systemd/-/blob/c9s/systemd.spec...), FIDO2 support is disabled in systemd. FIDO2 support is very useful for automatic decryption of LUKS partitions with systemd-cryptsetup. This would allow for external security keys (such as a Yubikey) to decrypt drives with no user interaction. Currently, the current systemd configuration supports only TPM and GPG. In older devices that don't support TPM, the only option for no-interaction FDE decryption is to use GPG (which still requires a key access password to be remotely secure).
As far as I can tell, there is no barrier to enable FIDO2 support. Please let me know if I am mistaken.
The barrier is that Red Hat would need to validate and support FIDO2 in Red Hat Enterprise Linux as CentOS Stream is the upstream of RHEL. I believe some teams are looking into this, but I'm not sure what the progress is.
josh