Bug#618862: systemd: ignores keyscript in crypttab
Michael Niewöhner
foss at mniewoehner.de
Sat Aug 4 20:56:24 BST 2018
Hi all,
I stumbled on this, too but I have a work-around for at least 'decrypt_keyctl'.
systemd uses systemd-cryptsetup -> systemd-ask-password -> linux keyring.
The keyring can be modified by keyctl just as 'decrypt_keyctl' does.
As I wanted to use 'decrypt_keyctl' for unlocking root and data with the same
password, I applied this patch:
--- /lib/cryptsetup/scripts/decrypt_keyctl.distrib 2017-05-09
13:50:59.000000000 +0200
+++ /lib/cryptsetup/scripts/decrypt_keyctl 2018-08-04 21:34:01.130979945
+0200
@@ -24 +24 @@ die()
-ID_="cryptkey-$1"
+ID_="cryptsetup"
My entries in crypttab are these:
crypt_sys /dev/zpool_sys/zvol_sys none luks,discard,keyscript=decrypt_keyctl
crypt_data /dev/zpool_data/zvol_data none luks,discard,keyscript=decrypt_keyctl
Now cryptsetup-initramfs unlocks my root device and decrypt_keyctl caches the
password to linux keyring with desc=cryptsetup.
Systemd then reads the key from keyring with desc=cryptsetup and unlocks my data
device! :-)
That keyring caching could be easily added to all other keyscripts to make
systemd unlock work ;-)
Best regards
Michael
More information about the Pkg-systemd-maintainers
mailing list