Bug#786393: Workaround to keep systemd-cryptsetup-generator from decrypt an already mounted root device throught Debian /etc/crypttab keyscript

Pier Paolo Franco pierpaolo.franco at gmail.com
Sat Aug 6 14:36:37 BST 2016

After some googling i derived an ugly keyscript for /etc/crypttab to
decrypt root disk (as per standard wholedisk encryption Debian install).

I manage to prevent the 90s delay annoyance hardcoding the device uuid in
the script instead of in the crypttab file.
This consent to plain aptitude updates (without the need to change
/etc/crypttab at any update-initramfs) and somehow prevent systemd magic. I
hope it will also permit subsequent systemd crypto logic.
Note that I use a raw (unpartitioned) usb stick to hold the key, and in its
absence the keyscript nicely fallback to cryptsetup askpass cli.

It shouldn't be too difficult to extend the script for more complex
solutions (eg. deriving correct device uuid and/or seek key position from
crypto mapper name).

~$ cat /etc/crypttab
<CryptName> UUID=<ROOTID> none luks,discard,keyscript=/opt/

~$ cat /opt/passphrase-from-usb
set -e


if ! [ -e /root/passphrase-from-usb-done ]; then
    touch /root/passphrase-from-usb-done
    if [ -e "$CRYPTTAB_KEY" ]; then
        echo "Unlocking $CRYPTTAB_NAME..." >&2
        dd if="$CRYPTTAB_KEY" bs=1 skip=<KEYSKIP> count=<KEYCOUNT>

/lib/cryptsetup/askpass "Enter passphrase: "

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20160806/3bbeba9b/attachment.html>

More information about the Pkg-systemd-maintainers mailing list