[pkg-cryptsetup-devel] Bug#507722: cryptsetup: unable to enter passphrase at boot time with bootlogd enabled

Mon Feb 23 20:48:35 UTC 2009

package cryptsetup
retitle 507722 "passphrase prompt not displayed in boot process with insserv, CONCURRENCY=shell and bootlogd enabled"
thanks
----------

hello Jochen,

On 21/02/2009 Jochen Schulz wrote:
> Jochen Schulz:
> > 
> >   As you can see, there's (unfortunately) no luks. I don't know whether
> >   that makes any difference.
> 
> I just changed my /home to luks, but that didn't solve the issue. So, to
> summarize
> 
> insserv with CONCURRENCY=shell and bootlodg with BOOTLOGD_ENABLE=Yes
> make it hard to enter the cryptdisks-early passphrase at boot because
> the prompt is invisible.

Ok, that one finally made it possible for me to reproduce the bug.
After installing insserv and setting CONCURRENCY=shell in the kvm test
installation, the cryptsetup passphrase prompt is not displayed in boot
process any longer.

> And I think I understand why I observed that my keypresses have been
> echoed to the screen sometimes. /var/log/boot reveals a pause of almost
> thirty seconds when setting up encrypted swap (I used 'set -x' in
> /etc/init.d/cryptdisks-early):
> 
> Sat Feb 21 19:32:03 2009: + cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h sha256 --key-file=/dev/random create cswap0 /dev/sda6
> Sat Feb 21 19:32:29 2009: + '[' -z '' ']'
> Sat Feb 21 19:32:29 2009: + break
> Sat Feb 21 19:32:29 2009: + return 0
> Sat Feb 21 19:32:29 2009: + '[' ok '!=' ok ']'
> 
> Probably my machine lacks entropy during that time. Any keys pressed
> while cryptsetup is waiting for the entropy pool to fill up end up on
> the screen. Ironically, pressing keys appears to speed up this process.

Yes, lack of entropy is exactly the problem here. You could use
/dev/urandom instead of /dev/random. Otherwise you'll have to cope with
the situation and input random characters over your keyboard until
enough entropy was available from /dev/random.

> But there are no messages at all from cryptdisks-early on screen. Not
> even a success message about cswap0. I can only recognize that
> cryptsetup is done setting up cswap0 and waiting for /home's passphrase
> by pressing keys und wait for them to *not* appear on the screen.
> 
> One idea I had when investigating this issue: bootlogd appears to
> prevent stderr from being printed to the screen. I can only see the 'set
> -x' output from cryptdisks-early when shutting down (and, of course, in
> the boot log file). Are all of cryptdisks-early's messages printed to
> stderr instead of stdout? At least /lib/cryptsetup/askpass only prints
> to stderr, as fas as I can see.

askpass writes to stderr, but the cryptdisks script itself uses lsb
logging functions, and as far as I can see from /lib/lsb/init-functions,
that one doesn't write to stderr.
And with CONCURRENCY=No set, cryptsetup passphrase prompt is displayed,
so bootlogd itself cannot be the problem. Additionally, the combination
of CONCURRENCY=Yes and bootlogd seems to suppress a lot of boot
messages, not only cryptdisks. 

greetings,
 jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20090223/963b5d20/attachment.pgp 