[pkg-cryptsetup-devel] Bug#758788: Bug#758788: Bug#758788: cryptsetup: Passphrase caching broken in decrypt_keyctl

Jonas Meurer jonas at freesources.org
Fri Oct 3 19:55:18 UTC 2014 

Hey Luc,

thanks for the prompt reply.

Am 03.10.2014 um 21:15 schrieb Luc Maisonobe:
>> I failed to reproduce the bug you discovered so far. Can you please give
>> the latest packages from
>> https://people.debian.org/~mejo/debian/mejo-unstable/ a try and see
>> whether decrypt_keyctl still doesn't work for you?
> 
> The new packages allow to boot, but I still have to enter the key twice,
> once for each encrypted device.

Very strange. I'm still unable to reproduce the issues you encounter.
Could you do some futher testing for me?

I test the decrypt_keyctl script with the following setup, and it works
as expected. Maybe you could try a similar setup:

- create two small lvm logical volumes (5MB are more than enough)
- luksformat both logical volumes
- add them to your crypttab:

clv1_crypt /dev/<VG>/<LV1> testkey1 luks,keyscript=decrypt_keyctl
clv2_crypt /dev/<VG>/<LV2> testkey1 luks,keyscript=decrypt_keyctl

- try unlocking them via cryptdisks_start:

# cryptdisks_start clv1_crypt
# cryptdisks_start clv2_crypt

The second unlocking should use the key cached during first unlocking.

It would be awesome if you could test this. I as well tested this setup
during boot process, and it works as expected as well. Also tested with
UUID instead of source device path in crypttab, same result.

I've no glue what's different on your setups, and any help with
debugging would be highly appreciated.

>> In case that you still encounter the bug, please paste your full
>> /etc/fstab and /etc/crypttab again.
> 
> /etc/crypttab:
> 
> sdb1_crypt UUID=9aa983b5-0224-406b-a177-7481162c6172
> sda5_sdb1_common_key luks,keyscript=decrypt_keyctl
> sda5_crypt UUID=3764df68-de26-4a24-a7dc-1498cb6b20ab
> sda5_sdb1_common_key luks,keyscript=decrypt_keyctl

Nothing suspicious here, looks ok to me.

> Note that the two partitions contain physical volumes for LVM, as shown
> here:

Actually the content of your encrypted devices should not matter at all.

Kind regards,
 jonas

More information about the pkg-cryptsetup-devel mailing list