[pkg-cryptsetup-devel] Bug#1065801: cryptsetup: Crypttab man pages does not list option _netdev which is required for Network based unlocking via Tang

bigops deb at mailon.mozmail.com
Sat Mar 9 22:06:30 GMT 2024 

Package: cryptsetup
Version: cryptsetup 2.6.1
Severity: normal
X-Debbugs-Cc: deb at mailon.mozmail.com

Dear Maintainer,

The crypttab which is part of the cryptsetup package in its man page does not include the option _netdev.  _netdev is required for unlocking Luks volumes via Clevis/Tang.

Confirmed that the block device is not unlocked without this option in the crypttab even though it is not documented. The manpages in freedesktop.org has this option (_netdev)
documented (https://www.freedesktop.org/software/systemd/man/latest/crypttab.html)

 

My current crypttab which works is like this 

bdrive  LABEL="bdisk" none _netdev,luks

Also crypttab with _netdev alone does not seem to unlock the luks volume and the volume is only unlocked when a corresponding entry with _netdev exists in /etc/fstab like 
the one below 

/dev/mapper/bdrive         /mnt/disk1        xfs     defaults,_netdev  0 2 

Earlier behavior was that if crypttab has the _netdev option the luks device is unlocked but not mounted.  In the latest version it will work only when it is decrypted and
mounted. Also if the /etc/fstab option is not present the disk is not unlocked even if the noauto is not configured in crypttab and everythign silently fails without any logs
in Journald or anywhere as if crypttab itself is not processed.   

The desired option would be 

(1) Crypttab manual states clearly the _netdev option
(2) Crypttab should be able to unlock the luks volume without mounting it using fstab as suggested by the freeesktop manual. 
(3) If crypttab mount fails there should be an error in the journal log rather than silently failing. 



-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup depends on:
ii  cryptsetup-bin         2:2.6.1-4~deb12u2
ii  debconf [debconf-2.0]  1.5.82
ii  dmsetup                2:1.02.185-2
ii  libc6                  2.36-9+deb12u4

cryptsetup recommends no packages.

Versions of packages cryptsetup suggests:
pn  cryptsetup-initramfs    <none>
ii  dosfstools              4.2-1
pn  keyutils                <none>
ii  liblocale-gettext-perl  1.07-5

More information about the pkg-cryptsetup-devel mailing list