Missing package in dom0 (systemd-cryptenroll)


In qubes vm’s from template “Fefora-36” I can find systemd-cryptenroll command but in dom0 it doesn’t exist.
This command should be embeded in systemd package.
Do you know why it doesn’t exist? I want to use it but not able to install trying update systemd package.

You would have to install in dom0 terminal. Here are the step by step process:

  1. open the terminal in dom0 (xfce4-terminal; xterm)

  2. type > sudo qubes-dom0-update systemd-cryptenroll -y

  3. wait for that action completed

  4. done

If that doesn’t works/found, use an AppVM to download that package via FTP.

systemd-cryptenroll was introduced in systemd 248. dom0 uses Fedora 32, whose final systemd version is 245.

1 Like

Do you know if this is possible install it on Fedora 32? Or maybe I can be able upgrade Fedora to 34?

Posit and correct me please if I’m wrong here, the OP seems to say that they want systemd-cryptenroll installable on a Qubes OS -based system’s dom0 VM but from what I could gather the purpose of systemd-cryptenroll seems to relate exclusively to LUKS (the package relating strictly to a management tool that is commonly used on simpler Linux systems that don’t operate like Qubes OS does). From my understanding of Qubes OS, LUKS operation takes place prior to dom0 startup (dom0 gets decrypted, right, the software in dom0 should not have access to the necessary items of LUKS to manage any of them).

It’s not really feasible, sorry. (Theoretically you could build a newer systemd package for Fedora 32, but it would probably be a real pain to do this for such a complex package.)

dom0 is in the same position as any non-Qubes Linux system as far as managing full-disk encryption goes. So dom0’s initramfs (which is placed on the unencrypted boot partition) loads the dm-crypt mapping for the rest of the disk, giving the system an additional plain text view of the encrypted data (which it can still see and manage).

Really regeret that for now this is not possible. Waiting for new Qubes release.
I want to encrypt in that way: linux - FIDO2 (YubiKey) to unlock LUKS at boot on Fedora 36 not working - Unix & Linux Stack Exchange

I am working on this now that R4.2 has been released. Should be possible in F37 Dom0 now. I am also asking about this on the Nitrokey forum.