You are not logged in.

Pages: 1

#1 2025-09-29 13:49:38

Kr0kus
Member
Registered: 2025-08-08
Posts: 2

FDE Unlocking using PKCS11 smartcard keeps asking for passphrase

Hi guys,

I’m trying to setup an Arch installation with an encrypted root partition which I’d like to unlock using a PKCS#11 smartcard+PIN during boot. However, at boot, it does not ask for the PIN, and the following happens:
The following two sentences are alternating on the screen:

"(1 of 2) A start job is running for /dev/mapper/cryptroot (<<timer which counts up>> / no limit)"
"(2 of 2) A start job is running for Cryptography Setup for cryptroot (<<timer which counts up>> / no limit)"

Please note that it does not provide an input field or something at this point. After the timer hits 31 seconds, it proceeds and asks for my passphrase:

"Please enter passphrase for disk <<my disk>> (cryptroot): [input field]"

I can then input my passphrase and I can continue booting. But I want to use my smartcard with a PIN-code. I don't think it's influential, but I'm using a Smartcard-HSM from CardContact GmbH. I have made a habit of inserting the smartcard before turning on the machine, so the reader should be awake and active. (Some readers only turn on when a card is inserted, which can result in the system not being able to find the card reader it's looking for).

Here are some important points I think:

  • It’s a manual installation following >this< guide using a Unified Kernel Image, further supplemented with the official installation guide

  • I’m using systemd, sd-vconsole and sd-encrypt in my mkinitcpio.conf as per that guide.

  • I think I’ve installed all required dependencies to interface with my PKCS11-card and interacting with it during runtime is no problem. These dependencies are:

    ccid pcsclite opensc p11-kit pcsc-tools opensc-p11-kit-module(AUR) mkinitcpio-pkcs11(AUR)

  • I’ve enrolled the token on the smartcard successfully to the LUKS-partition using the following command:

    systemd-cryptenroll --pkcs11-token-uri=auto /dev/sda2

  • The output of running just systemd-cryptenroll /dev/sda2 to list the tokens is the following, as expected:

    SLOT TYPE
  0  password
  1  pkcs11

  • While under runtime, I can run the following command and get the expected output after providing my PIN:

    cryptsetup --test-passphrase --token-only luksOpen /dev/sda2
    Succesfully logged into security token 'Smartcard-HSM'
Succesfully decrypted key with security token

  • I’ve added pkcs11-uri=auto to /etc/crypttab.initramfs as per Lennart Poetterings blog and relevant wiki/man-pages

  • (I can’t add it to my regular crypttab, since that only contains references to my cryptswap partition. I've added these files to this post below)

  • I have installed mkinitcpio-pkcs11(AUR) and added it early to my hook-list in mkinitcpio.conf. To my knowledge this package should provide the ccid, pcsclite and other smartcard-related dependencies to the initramfs, and start relevant services at that time as well

  • Running mkinitcpio -P does not throw errors either after copying /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist to /etc/libccid_Info.plist

  • The HOOKS section of my mkinitcpio.conf is:

    HOOKS=(base systemd pkcs11 udev autodetect microcode modconf kms keyboard keymap consolefont sd-vconsole block sd-encrypt filesystems fsck)

  • The content of my fstab is:

    # <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/cryptroot
UUID=fbc1122a-9077-4ba5-b6d7-c2bc664cc182       /               btrfs           rw,noatime,compress=zstd:1,ssd,space_cache=v2,autodefrag,subvol=/@      0 0
# /dev/mapper/cryptroot
UUID=fbc1122a-9077-4ba5-b6d7-c2bc664cc182       /home           btrfs           rw,nodev,noatime,compress=zstd:1,ssd,space_cache=v2,autodefrag,subvol=/@home0 0
# /dev/mapper/cryptroot
UUID=fbc1122a-9077-4ba5-b6d7-c2bc664cc182       /.snapshots     btrfs           rw,nosuid,nodev,noexec,noatime,compress=zstd:1,ssd,space_cache=v2,autodefrag,subvol=/@snapshots      0 0
# /dev/mapper/cryptroot
UUID=fbc1122a-9077-4ba5-b6d7-c2bc664cc182       /var/log        btrfs           rw,nosuid,nodev,noexec,noatime,compress=zstd:1,ssd,space_cache=v2,autodefrag,subvol=/@var_log        0 0
# /dev/mapper/cryptroot
UUID=fbc1122a-9077-4ba5-b6d7-c2bc664cc182       /var/cache/pacman/pkg   btrfs           rw,nosuid,nodev,noexec,noatime,compress=zstd:1,ssd,space_cache=v2,autodefrag,subvol=/@pacman_pkgs    0 0
# /dev/sda1
UUID=19E9-6648          /efi            vfat            rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro      0 2
# /dev/sda3
/dev/mapper/cryptswap   none            swap            defaults        0 0

  • The content of my cryptttab is:

    cryptswap  UUID=f87c41f9-b287-4124-afd9-4791b41330db  /dev/urandom  swap,offset=2048

  • The content of my crypttab.initramfs is:

    cryptroot  UUID=e076d86b-4240-4107-a60c-12113cfa18f7  -  pkcs11-uri=auto,password-echo=no,x-systemd.device-timeout=0,timeout=0,no-read-workqueue,no-write-workqueue,discard

  • The content of my /etc/kernel/cmdline file and my /etc/kernel/cmdline_fallback file is:

    root=/dev/mapper/cryptroot rootfstype=btrfs rootflags=subvol=/@ rw modprobe.blacklist=pcspkr zswap.enabled=0

I must admit that I have no idea how to proceed. The emergency root shell is locked, so I can't troubleshoot it from that end. I was recommended to add a break to the boot process so I can mount /dev/sda2 manually and/or check if all necessary dependencies are added into the initramfs, but I don't know how.
If someone could help me out and get this issue fixed, I'd be very grateful as I can finally switch over to Arch on my daily driver!

Offline

Pages: 1

Board footer

Powered by FluxBB