[pkg-cryptsetup-devel] which process is saving key in kernel keyring

Carles Pina i Estany carles at pina.cat
Sat Aug 4 20:48:36 BST 2018 

Hi,

On Aug/04/2018, Guilhem Moulin wrote:

Oh I've just realised that I've been reading some of your scripts in the
initrd :-)

> Hi,
> 
> On Sat, 04 Aug 2018 at 01:07:42 +0100, Carles Pina i Estany wrote:
> > TL;DR: during booting of my Debian 9 some script/process is adding the
> > passphrase or key in the kernel keyring. Who and where?
> > […]
> > m2_root_crypt UUID=4e655198-a111-... none luks,discard
> > m2_swap_crypt UUID=56485640-8a04-... none luks,discard
> > ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard
> > 
> > But I only need to enter the password twice during boot.
> 
> You didn't send your /etc/fstab but from their name I assume
> ‘m2_root_crypt’ and ‘m2_swap_crypt’ are respectively holding the root
> and resume device, hence are unlocked at initramfs stage?
> 
> OTOH perhaps ‘ssd_dades_crypt’ is not unlocked at initramfs stage (by
> our initramfs-tools) but later in the boot process (by systemd).
> systemd has its own unlocking logic, and might be what's adding the
> token to the kernel keyring.

To clarify: I know that systemd adds the token in the kernel and I know
that it uses it because of the code or a test such as:

systemctl stop systemd-cryptsetup at ssd_dades_crypt.service
systemctl start systemd-cryptsetup at ssd_dades_crypt.service # here it will
ask the passphrase, and see that the key is stored with "keyctl show"
(unless I've just recently booted and the key is still in the
kernel keyring, I think that the default is 2.5 minutes)

systemctl stop systemd-cryptsetup at ssd_dades_crypt.service
systemctl start systemd-cryptsetup at ssd_dades_crypt.service # here it's
mounted but the passphrase is not asked for, it is used from the kernel
key storage

But I don't understand and I can't find it: how does systemd know the
key in the initial boot?

I've checked (I hope to remember correctly!) that if I boot with
init=/bin/bash then root and swap are mounted and the key is not stored.
So I don't understand from where systemd is getting the passphrase/key
to mount it in a normal boot.

I'll keep investigating...

Thanks for any ideas,

-- 
Carles Pina i Estany
	Web: http://pinux.info || Blog: http://pintant.cat
	GPG Key 0x8CD5C157

More information about the pkg-cryptsetup-devel mailing list