[pkg-cryptsetup-devel] Bug#914446: cryptsetup-initramfs: Opening multiple drives with one password doesn't work without plymouth

Fri Nov 23 15:03:32 GMT 2018

Package: cryptsetup-initramfs
Version: 2:2.0.5-1
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Maintainer,

I have two HDDs and each of them have one encrypted partition (LUKSv2). The
same password is set for both of the drives because I want to open them using
only the one password when the system is booting. This setup works well when
plymouth is installed -- I type just one password, and the sda drive is being
unlocked and shortly after the sdb drive will be also unlocked (automatically).
When I remove plymouth packages form my system and regenerate the initramfs
image, I have to type the same password two times (one for each drive) when the
system boots.

This is the /etc/crypttab file:

=============================================================
sda2_crypt  UUID=e017ac1c-c46f-4b3f-a319-e1f5ed15144a   none
luks,header=/boot/headers/sda2_wd_black_256g
sdb1_crypt  UUID=66861f93-9fc7-46f9-b969-1ade25dcb898   none
luks,header=/boot/headers/sdb1_wd_blue_1500g
=============================================================

Systemd-cryptsetup-generator generates files in /run/systemd/generator/ for the
two containers. The content of the two files is similar (only UUID and disk
numbers are different). Here's one of the files

=============================================================
# Automatically generated by systemd-cryptsetup-generator

[Unit]
Description=Cryptography Setup for %I
Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-
cryptsetup at .service(8)
SourcePath=/etc/crypttab
DefaultDependencies=no
Conflicts=umount.target
IgnoreOnIsolate=true
After=cryptsetup-pre.target
Before=cryptsetup.target
BindsTo=dev-disk-
by\x2duuid-e017ac1c\x2dc46f\x2d4b3f\x2da319\x2de1f5ed15144a.device
After=dev-disk-
by\x2duuid-e017ac1c\x2dc46f\x2d4b3f\x2da319\x2de1f5ed15144a.device
Before=umount.target

[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
KeyringMode=shared
ExecStart=/lib/systemd/systemd-cryptsetup attach 'sda2_crypt' '/dev/disk/by-
uuid/e017ac1c-c46f-4b3f-a319-e1f5ed15144a' 'none'
'luks,header=/boot/headers/sda2_wd_black_256g'
ExecStop=/lib/systemd/systemd-cryptsetup detach 'sda2_crypt'
=============================================================

Since systemd v238, the option "KeyringMode=shared" was added, and hence the
service file has access to the kernel keyring. But for some reason the kernel
keyring is probably empty when plymouth is not used, and probably that's why I
have to type the same password two times.

When the above service is started manually via systemctl, I can see that it
uses the kernel keyring when I type the following command once the service was
started:

# keyctl list @u
1 key in keyring:
237476127: --alswrv     0     0 user: cryptsetup

Is plymouth needed to have this kind of functionality, or something is wrong
with... something?

- -- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (130, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup-initramfs depends on:
ii  busybox                                 1:1.27.2-3
ii  cryptsetup-run                          2:2.0.5-1
ii  initramfs-tools [linux-initramfs-tool]  0.132

Versions of packages cryptsetup-initramfs recommends:
ii  console-setup  1.187
ii  kbd            2.0.4-4

cryptsetup-initramfs suggests no packages.