[pkg-cryptsetup-devel] Bug#817030: cryptsetup: no keyscripts support in conjunction with systemd

Christian Pernegger pernegger at gmail.com
Mon Mar 7 10:46:29 UTC 2016 

Package: cryptsetup
Version: 2:1.6.6-5
Severity: important

Hi,

At least since jessie (I've pretty much skipped wheezy on the affected
systems) keyscripts do not work, unless handled in the initramfs. So
everything needed for the rootfs is fine, as is anything tagged with
the initramfs option, all other cases are broken.

Apparently this is because systemd doesn't support keyscripts and
upstream are unwilling to add support because it only ever was a
Debian extension. Regardless, there's an open bug against systemd
(#618862) but none against cryptsetup. Why? Cryptsetup has provided
the functionality before, it still does in the initramfs, but it
doesn't anymore in the running system. To me, that's a bug in
cryptsetup.

More importantly, why can't keyscript support be added back to the
running system? How about
* cryptsetup checks crypttab for unsupported options during
configure and offers to handle it (instead of systemd) if any are
found [covers migrations]
* the documentation is updated to clearly state which options and
scenarios are systemd-safe (or not) [new installs]
* provide a debconf switch "Should encrypted blockdevices in
/etc/crypttab be handled by cryptsetup (instead of systemd)?" to
switch manually.

(I don't know if cryptsetup can also add the kernel parameters to
disable systemd's dm-crypt support in a clean way, if not just print a
loud message.)


I reckon there wasn't more of an outcry over this because encrypted
root still works for now and later cryptdisks are much less likely to
require keyscripts. But
1) having to put "initramfs" for everything is ugly and potentially
causes boot failures even though the device(s) in question aren't
critical at all.
2) I dread the day someone decides to drop "all that legacy cruft from
initramfs handling" because "systemd does it all anyway, right?" --
because that's the day all my systems become unbootable. And that's
not something I want to have to deal with in a stable-stable update.


Regards,
Christian


-- System Information:
Debian Release: 8.3
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cryptsetup depends on:
ii  cryptsetup-bin         2:1.6.6-5
ii  debconf [debconf-2.0]  1.5.56
ii  dmsetup                2:1.02.90-2.2
ii  libc6                  2.19-18+deb8u3

Versions of packages cryptsetup recommends:
ii  busybox                                 1:1.22.0-9+deb8u1
ii  console-setup                           1.123
ii  initramfs-tools [linux-initramfs-tool]  0.120
ii  kbd                                     1.15.5-2

Versions of packages cryptsetup suggests:
pn  dosfstools              <none>
pn  keyutils                <none>
ii  liblocale-gettext-perl  1.05-8+b1

-- debconf information:
  cryptsetup/prerm_active_mappings: true

More information about the pkg-cryptsetup-devel mailing list