Bug#618862: systemd: ignores keyscript in crypttab

[Michael Niewöhner]

Hi all,

I stumbled on this, too but I have a work-around for at least 'decrypt_keyctl'.

systemd uses systemd-cryptsetup -> systemd-ask-password -> linux keyring.
The keyring can be modified by keyctl just as 'decrypt_keyctl' does.
As I wanted to use 'decrypt_keyctl' for unlocking root and data with the same
password, I applied this patch:

--- /lib/cryptsetup/scripts/decrypt_keyctl.distrib	2017-05-09
13:50:59.000000000 +0200
+++ /lib/cryptsetup/scripts/decrypt_keyctl	2018-08-04 21:34:01.130979945
+0200
@@ -24 +24 @@ die()
-ID_="cryptkey-$1"
+ID_="cryptsetup"

My entries in crypttab are these:
crypt_sys /dev/zpool_sys/zvol_sys none luks,discard,keyscript=decrypt_keyctl
crypt_data /dev/zpool_data/zvol_data none luks,discard,keyscript=decrypt_keyctl

Now cryptsetup-initramfs unlocks my root device and decrypt_keyctl caches the
password to linux keyring with desc=cryptsetup.

Systemd then reads the key from keyring with desc=cryptsetup and unlocks my data
 device! :-)

That keyring caching could be easily added to all other keyscripts to make
systemd unlock work ;-)


Best regards
Michael