[pkg-cryptsetup-devel] Bug#914446: cryptsetup-initramfs: Opening multiple drives with one password doesn't work without plymouth

Mikhail Morfikov mmorfikov at gmail.com
Fri Nov 23 15:03:32 GMT 2018


Package: cryptsetup-initramfs
Version: 2:2.0.5-1
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Maintainer,

I have two HDDs and each of them have one encrypted partition (LUKSv2). The
same password is set for both of the drives because I want to open them using
only the one password when the system is booting. This setup works well when
plymouth is installed -- I type just one password, and the sda drive is being
unlocked and shortly after the sdb drive will be also unlocked (automatically).
When I remove plymouth packages form my system and regenerate the initramfs
image, I have to type the same password two times (one for each drive) when the
system boots.

This is the /etc/crypttab file:

=============================================================
sda2_crypt  UUID=e017ac1c-c46f-4b3f-a319-e1f5ed15144a   none
luks,header=/boot/headers/sda2_wd_black_256g
sdb1_crypt  UUID=66861f93-9fc7-46f9-b969-1ade25dcb898   none
luks,header=/boot/headers/sdb1_wd_blue_1500g
=============================================================

Systemd-cryptsetup-generator generates files in /run/systemd/generator/ for the
two containers. The content of the two files is similar (only UUID and disk
numbers are different). Here's one of the files

=============================================================
# Automatically generated by systemd-cryptsetup-generator

[Unit]
Description=Cryptography Setup for %I
Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-
cryptsetup at .service(8)
SourcePath=/etc/crypttab
DefaultDependencies=no
Conflicts=umount.target
IgnoreOnIsolate=true
After=cryptsetup-pre.target
Before=cryptsetup.target
BindsTo=dev-disk-
by\x2duuid-e017ac1c\x2dc46f\x2d4b3f\x2da319\x2de1f5ed15144a.device
After=dev-disk-
by\x2duuid-e017ac1c\x2dc46f\x2d4b3f\x2da319\x2de1f5ed15144a.device
Before=umount.target

[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
KeyringMode=shared
ExecStart=/lib/systemd/systemd-cryptsetup attach 'sda2_crypt' '/dev/disk/by-
uuid/e017ac1c-c46f-4b3f-a319-e1f5ed15144a' 'none'
'luks,header=/boot/headers/sda2_wd_black_256g'
ExecStop=/lib/systemd/systemd-cryptsetup detach 'sda2_crypt'
=============================================================

Since systemd v238, the option "KeyringMode=shared" was added, and hence the
service file has access to the kernel keyring. But for some reason the kernel
keyring is probably empty when plymouth is not used, and probably that's why I
have to type the same password two times.

When the above service is started manually via systemctl, I can see that it
uses the kernel keyring when I type the following command once the service was
started:

# keyctl list @u
1 key in keyring:
237476127: --alswrv     0     0 user: cryptsetup

Is plymouth needed to have this kind of functionality, or something is wrong
with... something?



- -- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (130, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup-initramfs depends on:
ii  busybox                                 1:1.27.2-3
ii  cryptsetup-run                          2:2.0.5-1
ii  initramfs-tools [linux-initramfs-tool]  0.132

Versions of packages cryptsetup-initramfs recommends:
ii  console-setup  1.187
ii  kbd            2.0.4-4

cryptsetup-initramfs suggests no packages.




-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5JPPWm5C7TFDUMqpzQRoEHcbZSAFAlv4FsMACgkQzQRoEHcb
ZSAVvBAAjMcxDzoYSrdqJ4a63JkXz+u2heAP6wmcA7mYG/MA3HcfaKcPcd7DWlJk
W4yq2WsCaZC4A/yfVf/dCHBfQIBUFO/tf/je3HI7ietQWE7xXJ/zt/moXdjiZLin
TlklhRA8zxm/d/bgwidQa7hon1nexlXK9quoiElW7Htkrla2ezyMJsAWX8/nlbjH
w37qbFp7+5dRKfLEh9mh07ViqbSvuTcfjdHrVT7kZ5nFjBMDiu+3uVDY0FDehvVL
hu8PVayp6ypRUKXrPD0HKPmDsKBzY6LvKgwC5OfBW1itHGNeHctjCOmSdwFg+iiS
m2z5fRyvqmj1Z6y/9Kra+uy1usg8BacqRXNa25pKJi0+usqzWLdkMgGC7KhjXcFJ
Zechs0MUYUY0hO1ZjWxwf7cpTcJiPhG2DGSwgdfDUg+DfQnvzLmJ1UyNVlET8WG3
SgT26UeEDMkpZyG5+rzCUUXC1aijhQ6YwcgXtw0WyqSZmpvklf2E9NRAHcwf3HNd
UjuxzVeEfcwxZUBdYE/04CvSj9rk6pZoCZf/oUnUoGPGLIZt5xClqFkJwHTpeykE
6UvXcaaTsVZhDhKEBNq2Oia9JKKGUFwguaXS/qCatc5fE0vyAYIkWGiyUnpaT7hO
ElvG4eTg/yLqpQ1dCF9Cq1U1taPAr7a4QDi5s7x+2ITCpkbOXDs=
=lGpf
-----END PGP SIGNATURE-----



More information about the pkg-cryptsetup-devel mailing list