Key sharing

[Teddy Hogeborn]

Dick Middleton <dick at lingbrae.com> writes:

> On 7/17/22 09:44, Dick Middleton wrote:
>
> > So I've reverted to using initramfs-tools and at least I can boot.
> > However it no longer unlocks the swap partition;  it prompts me
> > separately.
> >
> > My crypttab looks like this:
> >
> > # root
> > md1-crypt UUID=xxxx boot luks,keyscript=/lib/cryptsetup/scripts/decrypt_keyctl
> >
> > # sleep
> > sleep UUID=yyyy boot luks,keyscript=/lib/cryptsetup/scripts/decrypt_keyctl
> >
> > I'm using mandos-client version 1.8.14 on stable aka bullseye!
> > kernel is 5.10.0-16-amd64
>
> It does not seem to use the decrypt_keyctl script for the "sleep"
> partition.  With the root partition it asks "Caching passphrase for
> md1-crypt:" but for "sleep" it asks:
> "Please enter passphrase for disk xxx (sleep):".  The latter is not from decrypt_keyctl.
>
> In between the 2 messages it runs a systemd generator for each of the
> partitions (md1-crypt and sleep) to produce systemd-cryptsetup@
> services.  No doubt that's where the "Please enter ..." message comes
> from.
>
> So it's a bit of a mess.  What do I do to fix it?

I don’t see why you are specifying a keyscript in your crypttab at all.

When using dracut, Mandos will provide the password to systemd when
systemd asks for a password using its “Password Agent” protocol.  As far
as I know, systemd does not even support the keyscript parameter in
crypttab.

When using initramfs-tools, Mandos will retrieve the password
and pass it to the cryptroot-unlock command provided by initramfs-tools.
Once the cryptroot-unlock command is successful, Mandos will do nothing
further.

/Teddy Hogeborn

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20220721/34c907d4/attachment.sig>