I've setup luks volume unlocking with FIDO2 along with recovery key using sd-cryptenroll:
systemd-cryptenroll --fido2-device=auto /dev/my-luks-device
Slots are configured as following:
SLOT TYPE
1 recovery
3 fido2
Everything works fine, but in a weird way: on boot I get asked for the recovery key first, then I hit enter a couple of times, basically failing the recovery key, and only then I get prompted for fido2 with user presence.
I wonder if it's something to do with the slot order, although the man page doesn't mention anything about that. I've actually setup TPM2 unlocking before trying FIDO, and even if TPM was set to slot 2 I was never asked for recovery key first, so this might not be the issue here.
Any help would be much appreciated, thanks!
