[poettering]

systemd has a similar logic, i.e. a recovery key concept, but we made sure you can type it in wherever a LUKS password would work too, even on systems where systemd is not available but LUKS ist. The recovery key is output in yubikey's modhex alphabet which means you can type it in on many keyboards even without setting a keymap first, and will work. We also output it as qr code, in case you want to scan it off. All on all it should be as robust as a recovery key could be.

[o11c]

> yubikey's modhex alphabet

For the curious, to avoid "most" QWERTZ/AZERTY differences among Latin layouts:

cbdefghijklnrtuv

[generalizations]

Oh cool. Does that mean the TPM key is set up to use one of the LUKS key slots?

[poettering]

Yes, a tpm2 enrollment takes up one slot, the recovery key another, a fido2 yet another, a pkcs11 key yet another and a password yet another in any combination/subset you like.

[immibis]

That's a highly unusual attitude for systemd. Most of the systemd architecture requires you to run systemd for everything if you use it at all. What changed?

[poettering]

Nothing changed. You are just a victim of FUD on the Internet, my friend. That's all.

[immibis]

Why does this remind me of something a Bitcoin or Gamestop fanatic would say?