[pkg-cryptsetup-devel] Bug#842951: Bug#842951: Falsely identifies origin of a key file

Jonas Meurer jonas at freesources.org
Mon Nov 14 18:01:06 UTC 2016 

Control: reopen -1
Control: severity minor -1

Hi Martin,

Am 02.11.2016 um 15:31 schrieb martin f krafft:
> I am trying to set up a key file (/etc/luks/nvme0n1.luks) in
> crypttab for the root filesystem. I realise this is a bit cyclical,
> but I've successfully set up grub2 to do the decryption for me, so
> that by the time initramfs comes around, I want it to fetch the key
> from the initramfs. To do this, I thought I could simply configure
> it with crypttab like so:
> 
>   crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /etc/luks/nvme0n1.luks luks,discard
> 
> and have the initramfs hook copy the keyfile. However, instead,
> I get the following warning:
> 
>   WARNING: crypt's key file /etc/luks/nvme0n1.luks is not on an
>   encrypted root FS, skipped

thanks for the bugreport. While you seem to have found a proper way to
add your key file to the initramfs in the meantime, your report still
describes a real bug here:

For some reason, the cryptroot hook script thinks that your key is not
on an encrypted device, which seems to be wrong in your case.

> This is what the shell script evaluates to just before:
> 
>   + [ / != / ]
>   + node_is_in_crypttab fishbowl-root
>   + [ -f /etc/crypttab ]
>   + [ 1 -gt 0 ]
> 
> I think the reason for the confusion is that the "crypt" device is
> actually a PV for the fishbowl LVM VG, and the root filesystem is
> just an LV there, so it's not encrypted per se, but it's part of an
> encrypted volume group…

Can you give a bit more context here? In particular the shell script
trace before and after the part that you parsed would be helpful. Could
you send me the full shell script trace with 'set -x' enabled (and
KEYFILE_PATTERN temporarely removed again)?

For some reason, 'node_is_in_crypttab fishbowl-root' expands to false.
Is 'fishbowl-root' the name of your unlocked dm-crypt device or a the
name of your LVM logical volume?

Cheers,
 jonas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20161114/b4f246d4/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list