[pkg-cryptsetup-devel] which process is saving key in kernel keyring

Carles Pina i Estany carles at pina.cat
Sat Aug 4 20:53:27 BST 2018


Hi,

On Aug/04/2018, Carles Pina i Estany wrote:
> 
> Hi,
> 
> On Aug/04/2018, Guilhem Moulin wrote:
> 
> Oh I've just realised that I've been reading some of your scripts in the
> initrd :-)
> 
> > Hi,
> > 
> > On Sat, 04 Aug 2018 at 01:07:42 +0100, Carles Pina i Estany wrote:
> > > TL;DR: during booting of my Debian 9 some script/process is adding the
> > > passphrase or key in the kernel keyring. Who and where?
> > > […]
> > > m2_root_crypt UUID=4e655198-a111-... none luks,discard
> > > m2_swap_crypt UUID=56485640-8a04-... none luks,discard
> > > ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard
> > > 
> > > But I only need to enter the password twice during boot.
> > 
> > You didn't send your /etc/fstab but from their name I assume
> > ‘m2_root_crypt’ and ‘m2_swap_crypt’ are respectively holding the root
> > and resume device, hence are unlocked at initramfs stage?
> > 
> > OTOH perhaps ‘ssd_dades_crypt’ is not unlocked at initramfs stage (by
> > our initramfs-tools) but later in the boot process (by systemd).
> > systemd has its own unlocking logic, and might be what's adding the
> > token to the kernel keyring.
> 
> To clarify: I know that systemd adds the token in the kernel and I know
> that it uses it because of the code or a test such as:
> 
> systemctl stop systemd-cryptsetup at ssd_dades_crypt.service
> systemctl start systemd-cryptsetup at ssd_dades_crypt.service # here it will
> ask the passphrase, and see that the key is stored with "keyctl show"
> (unless I've just recently booted and the key is still in the
> kernel keyring, I think that the default is 2.5 minutes)
> 
> systemctl stop systemd-cryptsetup at ssd_dades_crypt.service
> systemctl start systemd-cryptsetup at ssd_dades_crypt.service # here it's
> mounted but the passphrase is not asked for, it is used from the kernel
> key storage
> 
> But I don't understand and I can't find it: how does systemd know the
> key in the initial boot?
> 
> I've checked (I hope to remember correctly!) that if I boot with
> init=/bin/bash then root and swap are mounted and the key is not stored.
> So I don't understand from where systemd is getting the passphrase/key
> to mount it in a normal boot.
> 
> I'll keep investigating...

Just to add:
initrd is using /lib/cryptsetup/askpass to ask for the passphrases. I've
enabled the debug and it's using "plymouth_read" not "systemd" (I had
thought that initrd scripts would save the passprhase somewhere /
keyring for later usage but, as you said, it doesn't seem so)

Cheers,

-- 
Carles Pina i Estany
	Web: http://pinux.info || Blog: http://pintant.cat
	GPG Key 0x8CD5C157



More information about the pkg-cryptsetup-devel mailing list