Suggest systemd-cryptenroll instead of fido2luks

The full disk encryption page currently suggests fido2luks which appears to be inactive, in alpha and with little support. I think it would be better to suggest systemd-cryptenroll which supports FIDO2. I have set this up successfully with my OnlyKey on a Fedora laptop.

One thing I would add is, for the OnlyKey, you need a bootloader screen to wait for user input so you can unlock the key before boot. If the key is not present, it continues with user pass-phrase. If the key is locked, it misses the user presence prompt and dracut eventually times out.

Iā€™m happy to write this and submit a pull request.

1 Like

There is a pretty detailed guide here and a helpful Stack Exchange answer here.

1 Like