On Fri, Jan 20, 2023 at 3:00 PM Ersei Saggi via CentOS-devel <centos-devel at centos.org> wrote: > > Hi CentOS team, > > By the RPM spec files, (https://gitlab.com/redhat/centos-stream/rpms/systemd/-/blob/c9s/systemd.spec#L599), FIDO2 support is disabled in systemd. FIDO2 support is very useful for automatic decryption of LUKS partitions with systemd-cryptsetup. This would allow for external security keys (such as a Yubikey) to decrypt drives with no user interaction. Currently, the current systemd configuration supports only TPM and GPG. In older devices that don't support TPM, the only option for no-interaction FDE decryption is to use GPG (which still requires a key access password to be remotely secure). > > As far as I can tell, there is no barrier to enable FIDO2 support. Please let me know if I am mistaken. The barrier is that Red Hat would need to validate and support FIDO2 in Red Hat Enterprise Linux as CentOS Stream is the upstream of RHEL. I believe some teams are looking into this, but I'm not sure what the progress is. josh