yubikey-luks initramfs unlock script does not work on Ubuntu 24.04 LTS

[random578036896547]

Hi, on clean new installation of Ubuntu 24.04 yubikey-luks initramfs unlock script does not work.

after insatlation (sudo apt-get install yubikey-luks -y) I am able to enroll keys in key slots. (both for default system partition (/dev/nvme0n1p3), and for external USB pen drive I used for test /dev/sda3). with yubikey-luks-enroll. I am able to use yubikey-luks-open for external pendrive (/dev/sda3) I used for testing. So making key slots and using chalange-responses from yubi keys works. However after reboot of system OS in LUKS unlock screen, no yubikey-luks welcome text is shown and unlock for keyslots containing enrolled keys are not working. Only those I made with luksAddKeys and therefore with passwords only are working. I am using same laptop as for previous 18.04-23.10 where everything worked ok. (Dell XPS 13 9350) Did not work first time (depending on automaticall add keyscript to crypttab - that worked for me before) Did not work after manual sudo update-initramfs -u Did not work after adding to /etc/crypttab cryptroot /dev/nvme0n1p3 none luks,keyscript=/usr/share/yubikey-luks/ykluks-keyscript and doing sudo update-initramfs -u again. Both yubikeys NFC5c I have are initialized for ch-response (ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible) Thanks in advance for any advice, thx.

[Vincent43]

Do you have cryptsetup-initramfs package installed?

Does sudo update-initramfs -u shown any warnings/errors?

Can you unpack created initramfs and check if /sbin/ykluks-keyscript, /usr/bin/ykchalresp, /usr/bin/ykinfo, /usr/bin/sha256sum and /etc/ykluks.cfg does exist?

Also does passing cryptoptions=target=cryptroot,source=/dev/nvme0n1p3,keyscript=/sbin/ykluks-keyscriptin boot cmdline make any difference?

[random578036896547]

Hi,

ad) cryptsetup-initramfs yes, it is installed in version: (2:2.7.0-1ubuntu4)

ad) sudo update-initramfs -u update-initramfs: Generating /boot/initrd.img-6.8.0-35-generic cp: warning: behavior of -n is non-portable and may change in future; use --update=none instead

ad) unmkinitramfs /boot/initrd.img-$(uname -r) initramfs/ after unpacking i have 4 folders:

main, early, early2, early3 folder main contains all mentioned files (/sbin/ykluks-keyscript, /usr/bin/ykchalresp, /usr/bin/ykinfo, /usr/bin/sha256sum and /etc/ykluks.cfg), they seem to have valid content and config /etc/ykluks.cfg does change accordingly when I for example change welcome text in master config and call sudo update-initramfs -u

ad)cryptoptions=target=cryptroot,source=/dev/nvme0n1p3,keyscript=/sbin/ykluks-keyscript same outcome (no welcome text, not working in LUKS unlock screen)

[Vincent43]

Ok, so what exactly happens when you boot the OS and want to decrypt the drive? what is shown on the screen?

[random578036896547]

(before and after I try to enter pasword for yubikey chalenge-response keyslots, pasword-only keyslots work ok.)

[Vincent43]

Does it fallback to console mode when you hit Esc key repeatedly while showing this screen?

yubikey-luks welcome message is Please insert yubikey and press enter or enter a valid passphrase" on your photos there is different text, looks like something else is running than yubikey-luks?

[random578036896547]

I attached print screen after Esc from my laptop. I do not think that RMRR error has any consequence to yubikey-luks and to test it I took entirely different system (Desktop) and made new clean installation of 24.04 with only default values (only exception to that is using LUKS encrypted disk via installer instead of default non encrypted one.) Outcome was same issue and no errors on the other system, so I would expect that this affects all new Ubuntu 24.04 installations.

[Vincent43]

It indicates yubikey-luks isn't started for some reason