[pkg-cryptsetup-devel] which process is saving key in kernel keyring
Carles Pina i Estany
carles at pina.cat
Sat Aug 4 12:07:16 BST 2018
Hi!
I'm not near the computer now but...
On 4 August 2018 11:53:44 BST, Guilhem Moulin <guilhem at debian.org> wrote:
>Hi,
>
>On Sat, 04 Aug 2018 at 01:07:42 +0100, Carles Pina i Estany wrote:
>> TL;DR: during booting of my Debian 9 some script/process is adding
>the
>> passphrase or key in the kernel keyring. Who and where?
>> […]
>> m2_root_crypt UUID=4e655198-a111-... none luks,discard
>> m2_swap_crypt UUID=56485640-8a04-... none luks,discard
>> ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard
>>
>> But I only need to enter the password twice during boot.
>
>You didn't send your /etc/fstab but from their name I assume
>‘m2_root_crypt’ and ‘m2_swap_crypt’ are respectively holding the root
>and resume device, hence are unlocked at initramfs stage?
This seems correct, yes
>OTOH perhaps ‘ssd_dades_crypt’ is not unlocked at initramfs stage (by
>our initramfs-tools) but later in the boot process (by systemd).
>systemd has its own unlocking logic, and might be what's adding the
>token to the kernel keyring.
I see that ssystemd unlocks it (based on logs, standards and added) but I don't type the passphrase for ssd_dades_crypt. When systemd is executed i think that the passphrase is already in the kernel keyring, I wonder where/when is added.
Now I wonder if systemd saved it somewhere? (And where) from a previous execution? That would surprise me... I'll do some more research...
Cheers
--
Replied using my mobile... might contain extra typos or non-sense
More information about the pkg-cryptsetup-devel
mailing list