Summary
As part of a pre-boot strong authentication project (pre-boot MFA) using YubiKey and LUKS, we identified significant discrepancies between Linux distributions, particularly between Fedora, Debian and Ubuntu, related to dracut-ng's 73pcsc module.
This work led to opening the issue
“Dracut compatibility with Ubuntu and Debian”
in order to stabilize a uniform, robust and long-term maintainable solution.
This work directly improves the security of the boot chain and will benefit the entire Linux ecosystem. In other words, how to meet security requirements for free and natively on Linux!
Technical context
The initial goal was simple: understand how to unlock a LUKS encrypted volume via a YubiKey (PKCS#11) as soon as the system boots.
We followed cryptsetup's documentation, which works correctly on Fedora. However, when porting to Ubuntu and Debian, we ran into a series of malfunctions.
From a technical standpoint, our analysis revealed that:
opensc.modulefiles are handled differently depending on the distribution- Some OpenSC dependencies are not copied
- Configuration paths vary from one distribution to another
These discrepancies explain the portability and stability issues between Fedora, Debian and Ubuntu.
When the issue becomes strategic
Ubuntu has officially announced the adoption of dracut:
- Optional starting with 25.04
- Default starting with 25.10
The number of affected systems will therefore grow rapidly.
The need for a stable, standardized cross-distribution solution is becoming a strategic issue.
Our contribution
- Reproduce the Debian/Ubuntu vs Fedora malfunctions
- Isolate the technical causes
- Precisely document the cross-distribution discrepancies
We then proposed structural fixes, including:
- Better detection of
p11-kitmodules (wildcards) - Multi-path handling of OpenSC configurations
- Reliable, systematic inclusion of OpenSC dependencies
- Strengthened PC/SC file detection mechanisms
Our approach follows a sustainable, traceable open-source contribution model that benefits the entire cybersecurity community.
A matter of digital sovereignty
The stakes go beyond a simple technical use case: today, we're talking about digital sovereignty.
We offer a solution that significantly increases system security, in a way that is:
- Native on Linux
- Compatible with smartcards (beyond just YubiKeys)
We hope for widespread adoption of this approach.
Today vs. tomorrow
Today
- Paid or proprietary solutions (particularly in the Windows ecosystem)
- Ad hoc scripts
- Hard-coded paths
- Manual library copies
- Fragile implementations with every update
Tomorrow
- Open source
- Standardized
- Robust
- Sustainable
What we bring to the table
By fixing the foundations directly in dracut, we bring:
- A standardized solution
- An audited, predictable configuration
- Reproducible deployment
This capability immediately benefits:
- The hardening of critical configurations
- Control and inventory of software components
- Reduced attack surface from boot time
Regulatory compliance
This approach makes it easier to comply with:
- NIS 2
- DORA
- ANSSI – IT hygiene guide
- Etc.
What's next?
We are currently finalizing several separate PRs to make them easier to review and merge. Once merged, they can be incorporated into upcoming Debian/Ubuntu releases at the pace of dracut adoption.
📌 Public issue and technical discussions:
Link to the Dracut GitHub
📌 Full implementation documentation is coming very soon.
I'd like to warmly thank Bastien Roucaries (CNRS researcher) and Matthieu Renard for their valuable contribution and expertise, which made this article possible.
Benjamin Aimard

