Open
Description
SUMMARY
With systemd-cryptenroll/systemd-resize it is possible to format a LUKS container with a TPM2 key. This makes it possible to perform any operation without needing a keyfile or password. Since the luks_device module makes it mandatory to provide one or the other, it is not possible to open the luks container or add an additional keyslot. So I had to resort to using the cryptsetup command directly.
Is it possible to loosen this restriction so that alternative unlocking mechanisms like TPM2 and FIDO2 tokens are possible?
ISSUE TYPE
- Feature Idea
COMPONENT NAME
community.crypto.luks_device
ANSIBLE VERSION
ansible [core 2.18.3]
config file = None
configured module search path = ['/home/sylv/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.13/site-packages/ansible
ansible collection location = /home/sylv/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.13.2 (main, Feb 5 2025, 08:05:21) [GCC 14.2.1 20250128] (/usr/bin/python)
jinja version = 3.1.5
libyaml = True
COLLECTION VERSION
community.crypto 2.25.0
STEPS TO REPRODUCE
- Format a LUKS container using TPM2 key:
# systemd-cryptenroll /dev/sda
SLOT TYPE
0 tpm2
- Try to open it without providing password or keyfile:
- name: Open LUKS root container
luks_device:
device: /dev/disk/by-partlabel/root-x86-64
state: opened
name: root
EXPECTED RESULTS
LUKS container is open.
ACTUAL RESULTS
Task status returns ok, but LUKS container is not open.
TASK [bootstrap : Open LUKS root container] ******************************************************************************
ok: [r6]