[pkg-cryptsetup-devel] Bug#914446: Bug#914446: cryptsetup-initramfs: Opening multiple drives with one password doesn't work without plymouth
Mikhail Morfikov
mmorfikov at gmail.com
Fri Nov 23 17:30:07 GMT 2018
On 23/11/2018 17:48, Guilhem Moulin wrote:
> On Fri, 23 Nov 2018 at 17:27:11 +0100, Mikhail Morfikov wrote:
>> On 23/11/2018 17:20, Guilhem Moulin wrote:
>>> On Fri, 23 Nov 2018 at 17:09:24 +0100, Mikhail Morfikov wrote:
>>>> Should the script be used when systemd takes care of opening the
>>>> encrypted containers? Because it doesn't support those scripts.
>>>
>>> Indeed, but systemd isn't involved at initramfs stage. At this stage
>>> unlocking is done by our own scripts from the ‘cryptsetup-initramfs’
>>> package (against which you filed this bug).
>>
>> So why when plymouth is installed, the system is able to use the kernel keyring
>> without problems and hence successfully decrypt both of the drives with only one
>> password?
>
> Because plymouthd caches them, too. See for instance
> https://lists.debian.org/debian-user/2018/08/msg00031.html .
>
I think I get it now. Basically, what I wanted can't be done (the way I wanted).
If I had two encrypted containers (none of them was the system one), I would
open them via "systemctl start", and systemd would use the kernel keyring and
open both containers with one password. If plymouth caches once typed password,
it uses the password multiple times and that's why I don't have to type the
password manually again. But in this way plymouth doesn't use the kernel keyring
-- that's why the root keyring is empty after unlocking the system container.
So, there are 3 different mechanisms (crypttab, systemd, plymouth) and they
aren't compatible with each other. So the solution would be to use
systemd+plymouth or to disable systemd generator for encrypted devices and use
crypttab instead with the keyctl script. I could use either one, but I thought
this can be done by using only systemd.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20181123/0fdc8fc6/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list