Bug#618862: systemd: ignores keyscript in crypttab

Michael Niewöhner foss at mniewoehner.de
Sat Aug 4 20:56:24 BST 2018

Hi all,

I stumbled on this, too but I have a work-around for at least 'decrypt_keyctl'.

systemd uses systemd-cryptsetup -> systemd-ask-password -> linux keyring.
The keyring can be modified by keyctl just as 'decrypt_keyctl' does.
As I wanted to use 'decrypt_keyctl' for unlocking root and data with the same
password, I applied this patch:

--- /lib/cryptsetup/scripts/decrypt_keyctl.distrib	2017-05-09
13:50:59.000000000 +0200
+++ /lib/cryptsetup/scripts/decrypt_keyctl	2018-08-04 21:34:01.130979945
@@ -24 +24 @@ die()

My entries in crypttab are these:
crypt_sys /dev/zpool_sys/zvol_sys none luks,discard,keyscript=decrypt_keyctl
crypt_data /dev/zpool_data/zvol_data none luks,discard,keyscript=decrypt_keyctl

Now cryptsetup-initramfs unlocks my root device and decrypt_keyctl caches the
password to linux keyring with desc=cryptsetup.

Systemd then reads the key from keyring with desc=cryptsetup and unlocks my data
 device! :-)

That keyring caching could be easily added to all other keyscripts to make
systemd unlock work ;-)

Best regards

More information about the Pkg-systemd-maintainers mailing list