按照如何从 YubiKey 添加 FIDO2 密钥的示例，但我不知道如何使用 YubiKey 从命令行解锁它。说明中谈到了启动时解锁——但这不是我想要的。

设置

创建一个 128 MiB 文件，使其成为块设备loop0并设置 LUKS。

$ dd if=/dev/urandom of=disk.bin bs=1M count=128 
128+0 records in
128+0 records out
134217728 bytes (134 MB, 128 MiB) copied, 0.534038 s, 251 MB/s
$ losetup /dev/loop0 disk.bin 
$ cryptsetup luksFormat -y /dev/loop0

WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for temp.bin: 
Verify passphrase: 

添加 Yubikey。

$ systemd-cryptenroll /dev/loop0 --fido2-device=auto  --fido2-with-client-pin=yes
? Please enter current passphrase for disk /dev/loop0: ****                    
Requested to lock with PIN, but FIDO2 device /dev/hidraw9 does not support it, disabling.
Initializing FIDO2 credential on security token.
? (Hint: This might require confirmation of user presence on security token.)
Generating secret key on FIDO2 security token.
? In order to allow secret key generation, please confirm presence on security token.
New FIDO2 token enrolled as key slot 1.

删除非 FIDO2 密钥。

$ cryptsetup -q -v luksKillSlot /dev/loop0 0
Keyslot 0 is selected for deletion.
Key slot 0 removed.
Command successful.

问题

怎么办？这不起作用：

$ cryptsetup open /dev/loop0 loop0_encrypted
Enter passphrase for disk.bin:

我现在有一个 LUKS 磁盘，但我不知道如何解锁它。/etc/crypttab我发现的所有教程都说要对启动时的安装进行修改并提供安装说明。我想在不重新启动并且（最好）不修改的情况下安装/etc/crypttab。我缺少什么？