Bug#618862: systemd: ignores keyscript in crypttab

Michel Messerschmidt debian at michel-messerschmidt.de
Fri Feb 2 16:07:51 GMT 2018 

>  > Workaround: add "luks=no" to the kernel command line to disable
> systemd's generator
> 
> This worked great... until you try to add another partition to crypttab.
> Since the cryptroot in initrd only does root, but luks=no disables all
> others.
> 
> Is there any clean solution that recognizes the granularity? Maybe one way
> is to put all encrypted filesystems loaded via initramfs?

Not a clean solution, but a workaround for root partitions using a keyscript.

Let systemd handle encrypted partitions via crypttab (i.e. don't use luks=no).
But exclude the root partition by masking the generated unit.

 Example
---------
My crypttab contains (among other entries):
root_crypt       UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  /dev/disk/by-uuid/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:/keys/root  luks,keyscript=passdev

systemd will dynamically generate service units for all partitions in crypttab:
$ ls -l /run/systemd/generator/systemd-cryptsetup*
-rw-r--r-- 1 root root  867 Feb  2 16:31 /run/systemd/generator/systemd-cryptsetup at home_crypt.service
-rw-r--r-- 1 root root 1103 Feb  2 16:31 /run/systemd/generator/systemd-cryptsetup at root_crypt.service
-rw-r--r-- 1 root root  865 Feb  2 16:31 /run/systemd/generator/systemd-cryptsetup at var_crypt.service

Whenever systemd tries to start systemd-cryptsetup at root_crypt.service during boot, it will timeout and fail.
Feb 02 13:52:39 host systemd[1]: Timed out waiting for device dev-disk-by\x2duuid-yyyyyyyy\x2dyyyy\x2dyyyy\x2dyyyy\x2dyyyyyyyyyyyy:-keys-root.device.
Feb 02 13:52:39 host systemd[1]: Dependency failed for Cryptography Setup for root_crypt.
Feb 02 13:52:39 host systemd[1]: Dependency failed for Local Encrypted Volumes.
Feb 02 13:52:39 host systemd[1]: cryptsetup.target: Job cryptsetup.target/start failed with result 'dependency'.
Feb 02 13:52:39 host systemd[1]: systemd-cryptsetup at root_crypt.service: Job systemd-cryptsetup at root_crypt.service/start failed with result 'dependency'.


But the following command will mask this unit, so that systemd will not attempt to start at all:
systemctl mask systemd-cryptsetup at root_crypt.service

Afterwards, my system boots without timeout and all encrypted partitions are available.


HTH,
Michel
-- 
Security is not a product and not a process. Security is an emotion.

More information about the Pkg-systemd-maintainers mailing list