I have done more tests and things can be simplified a bit more!
When you set hostonly=yes in dracut configuration, the file /etc/crypttab is included into the initrd.
Since dracut will have this file during boot, you don’t need to:
- add
rd.auto=1in/etc/default/grub - rename the target in
/etc/crypttab
So it boils down to:
#
# Switch from initramfs-tools to Dracut to manage initrd
#
apt install dracut
apt purge cryptsetup-initramfs && apt autoremove -purge
echo "hostonly=yes" > /etc/dracut.conf.d/10-hostonly.conf
dracut -f
# Test that the switch to dracut is working by rebooting 😀
reboot
#
# Enroll your FIDO2 device to unlock Luks volume
#
apt install fido2-tools
nano /etc/crypttab
# Change the line:
# vda5_crypt UUID=165e9c6c-6277-49b1-ac51-94158b504964 none luks,discard
# to:
# vda5_crypt UUID=165e9c6c-6277-49b1-ac51-94158b504964 none luks,discard,fido2-device=auto
# Update initrd to include FIDO2 tools and updated /etc/crypttab
dracut -f
# Plug your FIDO2 device
systemd-cryptenroll -fido2-device=list
# Check your FIDO2 device is listed
systemd-cryptenroll -fido2-device=auto /dev/vda5
# Test if everything works as expected ! 😀
reboot