Hi,I would like to know if it is feasible to do the following for a user home directory managed with systemd-homed:
- Activate and unlock with a FIDO2 token (or TPM2) - Unlock with a password but not activate - Activate (or at least decrypt) with a recovery keyThe idea is that once a user has been activated they can unlock their desktop session using just a password which might not be too complex. To actually activate their account they would require either a FIDO2 token or TPM2 depending on their setup. As a fallback they can access their data for recovery purposes with a recovery key, but that should not be used in general.
The recovery key might not actually be the recovery key option of homectl. For example, the recovery key might be entered using 'cryptsetup luksAddKey ...'.
I'm wondering if this is feasible rather than if it is implemented. I'll raise an RFE as required.
Thanks, Michael Cassaniti, Australia
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
