Key sharing
Teddy Hogeborn
teddy at recompile.se
Thu Jul 21 22:02:24 CEST 2022
Dick Middleton <dick at lingbrae.com> writes:
> On 7/17/22 09:44, Dick Middleton wrote:
>
> > So I've reverted to using initramfs-tools and at least I can boot.
> > However it no longer unlocks the swap partition; it prompts me
> > separately.
> >
> > My crypttab looks like this:
> >
> > # root
> > md1-crypt UUID=xxxx boot luks,keyscript=/lib/cryptsetup/scripts/decrypt_keyctl
> >
> > # sleep
> > sleep UUID=yyyy boot luks,keyscript=/lib/cryptsetup/scripts/decrypt_keyctl
> >
> > I'm using mandos-client version 1.8.14 on stable aka bullseye!
> > kernel is 5.10.0-16-amd64
>
> It does not seem to use the decrypt_keyctl script for the "sleep"
> partition. With the root partition it asks "Caching passphrase for
> md1-crypt:" but for "sleep" it asks:
> "Please enter passphrase for disk xxx (sleep):". The latter is not from decrypt_keyctl.
>
> In between the 2 messages it runs a systemd generator for each of the
> partitions (md1-crypt and sleep) to produce systemd-cryptsetup@
> services. No doubt that's where the "Please enter ..." message comes
> from.
>
> So it's a bit of a mess. What do I do to fix it?
I don’t see why you are specifying a keyscript in your crypttab at all.
When using dracut, Mandos will provide the password to systemd when
systemd asks for a password using its “Password Agent” protocol. As far
as I know, systemd does not even support the keyscript parameter in
crypttab.
When using initramfs-tools, Mandos will retrieve the password
and pass it to the cryptroot-unlock command provided by initramfs-tools.
Once the cryptroot-unlock command is successful, Mandos will do nothing
further.
/Teddy Hogeborn
--
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20220721/34c907d4/attachment.sig>
More information about the Mandos-Dev
mailing list