[pkg-cryptsetup-devel] which process is saving key in kernel keyring
Carles Pina i Estany
carles at pina.cat
Sat Aug 4 01:07:42 BST 2018
Hi,
Apologies if this is a slight off-topic but I thought that someone might
know (and I've been quite a few hours now investigating it):
TL;DR: during booting of my Debian 9 some script/process is adding the
passphrase or key in the kernel keyring. Who and where? It's out of
curiosity only. Thanks! (no script is explicitly invoked from my /etc/crypttab
neither from initrd)
---------
Long version:
cryptsetup version:
2:1.7.3-4
I'm using a Debian Stretch 9 with LUKS for 3 partitions. I don't use the
scripts in /etc/crypttab to save the keys in the kernel keyring:
m2_root_crypt UUID=4e655198-a111-... none luks,discard
m2_swap_crypt UUID=56485640-8a04-... none luks,discard
ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard
But I only need to enter the password twice during boot.
I've been looking at my initrd (standard Debian), the utilities involved
(askpass, etc.), systemd (compiling it and adding debug information) and
I'm very confused: who is adding the key in the kernel keyring? After
booting:
root at pinux:~# keyctl show
Session Keyring
935647640 --alswrv 0 65534 keyring: _uid_ses.0
575581655 --alswrv 0 65534 \_ keyring: _uid.0
604875905 --alswrv 0 0 \_ user: cryptsetup
After some time (90 seconds?) the last line disappears.
I see code in systemd that reads (apparently) but I can't see where is this
written.
Any clues will help to understand this process.
BTW, I've found one commit that might do what it's happening but my package doesn't have it:
https://gitlab.com/cryptsetup/cryptsetup/commit/d891e00f631f78a11f24058026058ca9483ae9ae
Thanks very much!
And also thanks for the work with the crypto in Debian!
--
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157
More information about the pkg-cryptsetup-devel
mailing list