cryptsetup support in systemd: keyscripts

Jonas Meurer jonas at
Tue Sep 27 14:26:05 BST 2016

Hello Debian systemd maintainers,

I'm writing you with my cryptsetup maintainer hat on. (As you obviously
know), on systemd enabled systems /etc/crypttab is processed by the
systemd cryptsetup helper. Unfortunately, this introduces regressions
compared to the old cryptsetup initscripts in Debian. The systemd
cryptsetup implementation simply doesn't support all crypttab options
from the cryptsetup initscripts.

The biggest regression is missing support of the 'keyscript' option for
crypttab. This option allows to define a custom script/executable to be
launched with the keyfile as argument. The output of this custom script
was given as stdin to cryptsetup in order to unlock the disk in question.

The regression is a known issue since more than five years already[1].
Several attempts were made and patches submitted[2,3,4] to add the
keyscript functionality to the systemd cryptsetup helper, but so far
systemd upstream (Lennart) rejected all of them[5,6,7].

Instead, Lennart suggested several times to add the keyscript
functionality to systemd in Debian downstream, which I would like to
discuss with you.

I've given the whole topic a wide berth until now as I (a) still don't
know much about systemd and (b) was good in keeping myself busy with
other things so far. With the release of Stretch coming really close, I
had to look into the topic again and finally decided to write you.

What's you opinion on this? Would you accept a patch to cryptsetup.c in
the Debian systemd package that implements the keyscript functionality?
I know about two independent patches [2,4] so far. Both do pretty
similar things in a slightly different fashion. Do you prepare one of
them? I could port either of them to the current systemd package and do
thoughtful testing if you're ok with incorporating it into the Debian
systemd package afterwards.

I'm looking forward to read about your opinion :)


PS: I'm not subscribed to pkg-systemd-maintainers, please keep me in Cc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Pkg-systemd-maintainers mailing list