[pkg-cryptsetup-devel] Bug#902116: regression: keyscript=decrypt_keyctl doesn't cache passphrase anymore

Andras Korn korn-debbugs at elan.rulez.org
Fri Jun 22 14:36:26 BST 2018 

Package: cryptsetup
Version: 2:2.0.3-3
Severity: normal

Hi,

version 2:2.0.3-1 or thereabouts broke decrypt_keyctl. Before upgrading, I
had the following in my crypttab:

crypt_sda3 /dev/sda3 none luks,loud,discard,keyscript=decrypt_keyctl
crypt_sda4 /dev/sda4 none luks,loud,discard,keyscript=decrypt_keyctl

This had the result that I was prompted for the passphrase for sda3 during
the initramfs phase, but sda4 was not unlocked and I wasn't prompted for the
passphrase either; booting failed, because sda4 contains zfs root pool.

I changed crypttab to this:

crypt_sda3 /dev/sda3 none luks,loud,discard,initramfs,keyscript=decrypt_keyctl
crypt_sda4 /dev/sda4 none luks,loud,discard,initramfs,keyscript=decrypt_keyctl

Now booting works but I'm prompted for the passphrase twice (both times with
"Caching passphrase for", meaning the decrypt_keyctl script gets run, but
the caching is broken). (Naturally, the passphrase for the two luks devices
is identical.)

cryptsetup 2:2.0.2-1 was definitely OK.

Everything except /boot is on zfs (and zfs is in the luks container on
sda4). My fstab looks like this:

# fake entry for cryptsetup initramfs hook:
/dev/mapper/crypt_sda4  /      zfs   defaults,noauto                       0  0
/dev/sda2               /boot  ext2  defaults,noatime,noexec,nosuid,nodev  0  1
/dev/gehenna/swap0      none   swap  sw,discard,pri=100                    0  0
/dev/mapper/crypt_sda3  none   swap  sw,discard,pri=0                      0  0

Best regards,

Andras

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (350, 'unstable'), (350, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.100-vs2.3.9.7-caeeng (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: runit (via /sbin/init)

-- 
           How did the Eagles manage to rescue Frodo and Sam at Mt Doom and
                         still have time to record "Hotel California"?

More information about the pkg-cryptsetup-devel mailing list