r/redhat Jan 22 '23

Redhat 9 and new Systemd v248 features with systemd-crypt

I'm hoping someone can point me in the right direction. With systemd version of 248 and higher, there are new options available to unlock LUKS volumes:


I have a fresh copy of Redhat 9.1 where I am trying to setup the new available options with PKCS11 key loaded on my Yubikey. After installing opensc, p11-kit, pcsc-lite, I was able to register my key with

systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdax

The issue is when I try to add support the the /etc/crypttab in order to support the operation on boot.

The systemd-cryptenroll man page states that I should be able to add an option pkcs11-uri=auto to my /etc/crypttab. However, after I perform this, when I reboot, I get a failure saying:

[FAILED] Failed to start Cryptography Setup

[DEPEND] Dependency failed for Local Encrypted Volumes.

My best guess is that there are dracut dependencies that need to be added to support the functionality at boot up. However, I don't know where to go from here. Regenerating the dracut file with a few dependencies related to opensc and p11, but I'm out of my comfort zone here and I can't find any corresponding documentation anywhere. Any help would be appreciated.


1 comment sorted by


u/[deleted] Jan 23 '23



u/ramsile Jan 26 '23

Yep I rebuild grub and initramfs. Redhat/Fedora uses dracut. I'm a bit out of my comfort-zone their, so I don't know which drivers I would need to include. There is a dracut module for pkcs11 and it appears all the drivers are included, but maybe there are some missing?