Comment # 2
on bug 1234010
from Chris Miller
Once the swap partition gets decrypted swap works fine, the issue is that
initial decryption of the swap partition is not happening with FIDO2. Here is
my system swap status after booting with plymouth disabled and not plugging in
the FIDO2 key, which avoids the issue since the system falls back to password
immediately. In this case I only have to enter my password once to unlock both
the root and swap partitions.
(base) cbmiller@localhost:/dev> sudo swapon --show
NAME TYPE SIZE USED PRIO
/dev/dm-1 partition 31.3G 0B -2
/dev/zram0 partition 31.3G 139.5M 100
(base) cbmiller@localhost:/dev> sudo dmsetup info cr_swap
Name: cr_swap
State: ACTIVE
Read Ahead: 1024
Tables present: LIVE
Open count: 1
Event number: 0
Major, minor: 254, 1
Number of targets: 1
UUID: CRYPT-LUKS2-1b692ff923f54d8486ee51b3c3cb72c4-cr_swap
(base) cbmiller@localhost:/dev> lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 465.8G 0 disk
└─sda1 8:1 0 465.8G 0 part /OFFLOAD
sdb 8:16 0 10.9T 0 disk
└─sdb1 8:17 0 10.9T 0 part /run/media/cbmiller/Chris_Backup
zram0 253:0 0 31.3G 0 disk [SWAP]
nvme0n1 259:0 0 931.5G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot/efi
├─nvme0n1p2 259:2 0 899.7G 0 part
│ └─cr_root 254:0 0 899.7G 0 crypt /var
│ /usr/local
│ /srv
│ /root
│ /home
│ /boot/grub2/x86_64-efi
│ /opt
│ /boot/grub2/i386-pc
│ /.snapshots
│ /
└─nvme0n1p3 259:3 0 31.3G 0 part
└─cr_swap 254:1 0 31.3G 0 crypt [SWAP]
Here is the output from cryptenroll:
(base) cbmiller@localhost:/dev> sudo systemd-cryptenroll /dev/nvme0n1p2
SLOT TYPE
0 password
1 fido2
(base) cbmiller@localhost:/dev> sudo systemd-cryptenroll /dev/nvme0n1p3
SLOT TYPE
0 password
1 fido2