sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(encryption): add warning before silent TPM2-to-keyfile fallback

Browse Source
This commit is contained in:
Sandwich
2026-02-20 21:51:12 +01:00
parent ac72fdc4a6
commit c82e4afc4d
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/configuration/tasks/encryption/tpm2.yml
View File

@@ -79,6 +79,12 @@
chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }}, chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }} host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
rescue: rescue:
- name: Warn about TPM2 enrollment failure
ansible.builtin.debug:
msg: >-
TPM2 enrollment failed — falling back to keyfile auto-decrypt.
The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
- name: Fallback to keyfile auto-decrypt - name: Fallback to keyfile auto-decrypt
ansible.builtin.set_fact: ansible.builtin.set_fact:
configuration_luks_auto_method: keyfile configuration_luks_auto_method: keyfile