Package: cryptsetup
Version: 2:1.6.6-5
Severity: important
Under Wheezy, I was able to put "keyscript=/lib/cryptsetup/scripts/passdev"
in /etc/crypttab to make it use a key file on a USB stick
Now with jessie, this doesn''t work.
The relevant lines from /etc/crypttab look like this:
aux
/dev/disk/by-id/ata-VMware_Virtual_IDE_Hard_Drive_01000000000000000001-part1
/dev/disk/by-label/keys:/keys
luks,noearly,keyscript=/lib/cryptsetup/scripts/passdev
swap
/dev/disk/by-id/ata-VMware_Virtual_SATA_Hard_Drive_00000000000000000001-part1
/dev/urandom swap,noearly
And the relevant parts of the output of "journalctl -b" look like this
systemd-cryptsetup[434]: Encountered unknown /etc/crypttab option
'noearly', ignoring.
systemd-cryptsetup[434]: Key file /dev/urandom is world-readable. This is
not a good idea!
systemd[1]: Job dev-disk-by\x2dlabel-keys:-keys.device/start timed out.
systemd[1]: Timed out waiting for device
dev-disk-by\x2dlabel-keys:-keys.device.
systemd[1]: Dependency failed for Cryptography Setup for aux.
systemd[1]: Dependency failed for Encrypted Volumes.
systemd[1]: Dependency failed for dev-mapper-aux.device.
# lsinitramfs /boot/initrd.img-3.16.0-4-amd64 | grep cryptsetup
lib/x86_64-linux-gnu/libcryptsetup.so.4
lib/cryptsetup
lib/cryptsetup/askpass
sbin/cryptsetup
which seems to indicate that the passdev script is not present in the initramfs.
The "noearly" option is supposed to make those lines in crypttab be ignored when
setting up encrypted devices at initramfs time. Instead, they are being
processed
at initramfs time when the relevant tools are not available, and being ignored
after the switch to the real root.
And, yes, I did "update-initramfs -u" after putting that entry into
/etc/crypttab.
Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.16.0-4-amd64 root=/dev/mapper/crypt--vg-root ro quiet
-- /etc/crypttab
sdc5_crypt UUID=6c75641f-6905-4ec5-959f-84d4aecd9481 none luks
swap
/dev/disk/by-id/ata-VMware_Virtual_SATA_Hard_Drive_00000000000000000001-part1
/dev/urandom swap,noearly
aux
/dev/disk/by-id/ata-VMware_Virtual_IDE_Hard_Drive_01000000000000000001-part1
/dev/disk/by-label/keys:/keys
luks,noearly,keyscript=/lib/cryptsetup/scripts/passdev
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/crypt--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sdc1 during installation
UUID=662211d8-6f25-47d2-b61e-f533bbb5bd1b /boot ext2 defaults
0 2
# /dev/mapper/crypt--vg-swap_1 none swap sw 0 0
/dev/mapper/swap none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
-- lsmod
Module Size Used by
nfsd 263032 2
auth_rpcgss 51211 1 nfsd
oid_registry 12419 1 auth_rpcgss
nfs_acl 12511 1 nfsd
nfs 188136 0
lockd 83389 2 nfs,nfsd
fscache 45542 1 nfs
sunrpc 237402 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
sha256_ssse3 25692 2
sha256_generic 16804 1 sha256_ssse3
ecb 12737 1
ppdev 16782 0
vmw_balloon 12658 0
coretemp 12820 0
psmouse 99249 0
serio_raw 12849 0
pcspkr 12595 0
snd_ens1371 23119 0
snd_rawmidi 26806 1 snd_ens1371
uvcvideo 79005 0
snd_seq_device 13132 1 snd_rawmidi
videobuf2_vmalloc 12816 1 uvcvideo
snd_ac97_codec 118711 1 snd_ens1371
btusb 29721 0
evdev 17445 3
videobuf2_memops 12519 1 videobuf2_vmalloc
bluetooth 374429 2 btusb
6lowpan_iphc 16588 1 bluetooth
rfkill 18867 1 bluetooth
videobuf2_core 47787 1 uvcvideo
v4l2_common 12995 1 videobuf2_core
videodev 126451 3 uvcvideo,v4l2_common,videobuf2_core
media 18305 2 uvcvideo,videodev
snd_pcm 88662 2 snd_ac97_codec,snd_ens1371
snd_timer 26614 1 snd_pcm
snd 65244 6
snd_ac97_codec,snd_timer,snd_pcm,snd_rawmidi,snd_ens1371,snd_seq_device
soundcore 13026 1 snd
ac97_bus 12510 1 snd_ac97_codec
gameport 13449 1 snd_ens1371
parport_pc 26300 0
battery 13356 0
parport 35749 2 ppdev,parport_pc
processor 28221 0
thermal_sys 27642 1 processor
vmwgfx 165847 0
ttm 77862 1 vmwgfx
drm_kms_helper 49210 1 vmwgfx
drm 249955 4 ttm,drm_kms_helper,vmwgfx
ac 12715 0
i2c_piix4 20864 0
button 12944 0
shpchp 31121 0
i2c_core 46012 5
drm,i2c_piix4,drm_kms_helper,v4l2_common,videodev
vmw_vmci 55383 0
autofs4 35529 2
ext4 473802 2
crc16 12343 2 ext4,bluetooth
mbcache 17171 1 ext4
jbd2 82413 1 ext4
algif_skcipher 13008 0
af_alg 12988 1 algif_skcipher
dm_crypt 22595 2
dm_mod 89405 8 dm_crypt
hid_generic 12393 0
usbhid 44460 0
hid 102264 2 hid_generic,usbhid
sg 29973 0
sr_mod 21903 0
cdrom 47424 1 sr_mod
sd_mod 44356 5
crc_t10dif 12431 1 sd_mod
crct10dif_generic 12581 0
ata_generic 12490 0
crct10dif_pclmul 13387 1
crct10dif_common 12356 3 crct10dif_pclmul,crct10dif_generic,crc_t10dif
crc32_pclmul 12915 0
crc32c_intel 21809 0
ghash_clmulni_intel 12978 0
aesni_intel 151423 6
aes_x86_64 16719 1 aesni_intel
lrw 12757 1 aesni_intel
gf128mul 12970 1 lrw
glue_helper 12695 1 aesni_intel
ablk_helper 12572 1 aesni_intel
cryptd 14516 5 ghash_clmulni_intel,aesni_intel,ablk_helper
ahci 33291 1
libahci 27158 1 ahci
ehci_pci 12512 0
uhci_hcd 43499 0
ehci_hcd 69837 1 ehci_pci
usbcore 195340 6 btusb,uhci_hcd,uvcvideo,ehci_hcd,ehci_pci,usbhid
ata_piix 33592 0
e1000 122545 0
usb_common 12440 1 usbcore
libata 177457 4 ahci,libahci,ata_generic,ata_piix
mptspi 21948 2
scsi_transport_spi 27851 1 mptspi
mptscsih 26657 1 mptspi
mptbase 73042 2 mptspi,mptscsih
scsi_mod 191405 7
sg,scsi_transport_spi,libata,mptspi,sd_mod,sr_mod,mptscsih
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:1.6.6-5
ii debconf [debconf-2.0] 1.5.56
ii dmsetup 2:1.02.90-2.2
ii libc6 2.19-18+deb8u1
Versions of packages cryptsetup recommends:
ii busybox 1:1.22.0-9+deb8u1
ii console-setup 1.123
ii initramfs-tools [linux-initramfs-tool] 0.120
ii kbd 1.15.5-2
Versions of packages cryptsetup suggests:
pn dosfstools <none>
pn keyutils <none>
ii liblocale-gettext-perl 1.05-8+b1
-- debconf information:
cryptsetup/prerm_active_mappings: true
