This dracut module installs the services that allow systemd-cryptsetup to unlock disks encrypted with PKCS11 token.
This module has been tested on Gentoo, but should in work on other Linux flavors.
Install from nitratesky overlay:
eselect repository enable nitratesky && emerge -a sys-kernel/dracut-pcscd-cryptsetup
-
Install dependencies:
- ccid
- p11-kit
- opensc
- pcsc-lite
-
Create a dracut module directory (
/usr/lib/dracut/modules.d/99pcscd-cryptsetup) -
Place
module-setup.shfile in that directory
In order to use this module, add the following to your dracut configuration (located in /etc/dracut.conf or in /etc/dracut.conf.d/:
add_dracutmodules+=" pcscd-cryptsetup "
Make sure that the dracut configuration also contains
add_dracutmodules+=" crypt "
And /etc/crypttab is installed into initramfs:
install_items+=" /etc/crypttab "
This module contains _debug function that adds systemd-cryptenroll and opensc-tool to initramfs.
If [email protected] does not prompt for token password during boot, you can add call to _debug function into install function in module-setup.sh. On Gentoo, enable debug useflag and emerge --changed-use dracut-pcscd-module.
Then, once booted into dracut emergency shell, check if pcscd.service is running (run systemctl status).
Check if the reader is generally visible (run opensc-tool -l).
Check if systemd can see the token (run systemd-cryptenroll --pkcs11-token=list).
if no obvious error is returned – feel free to open an issue on Github.