Package: cryptsetup Version: 2:1.6.6-5 Severity: important Under Wheezy, I was able to put "keyscript=/lib/cryptsetup/scripts/passdev" in /etc/crypttab to make it use a key file on a USB stick
Now with jessie, this doesn''t work. The relevant lines from /etc/crypttab look like this: aux /dev/disk/by-id/ata-VMware_Virtual_IDE_Hard_Drive_01000000000000000001-part1 /dev/disk/by-label/keys:/keys luks,noearly,keyscript=/lib/cryptsetup/scripts/passdev swap /dev/disk/by-id/ata-VMware_Virtual_SATA_Hard_Drive_00000000000000000001-part1 /dev/urandom swap,noearly And the relevant parts of the output of "journalctl -b" look like this systemd-cryptsetup[434]: Encountered unknown /etc/crypttab option 'noearly', ignoring. systemd-cryptsetup[434]: Key file /dev/urandom is world-readable. This is not a good idea! systemd[1]: Job dev-disk-by\x2dlabel-keys:-keys.device/start timed out. systemd[1]: Timed out waiting for device dev-disk-by\x2dlabel-keys:-keys.device. systemd[1]: Dependency failed for Cryptography Setup for aux. systemd[1]: Dependency failed for Encrypted Volumes. systemd[1]: Dependency failed for dev-mapper-aux.device. # lsinitramfs /boot/initrd.img-3.16.0-4-amd64 | grep cryptsetup lib/x86_64-linux-gnu/libcryptsetup.so.4 lib/cryptsetup lib/cryptsetup/askpass sbin/cryptsetup which seems to indicate that the passdev script is not present in the initramfs. The "noearly" option is supposed to make those lines in crypttab be ignored when setting up encrypted devices at initramfs time. Instead, they are being processed at initramfs time when the relevant tools are not available, and being ignored after the switch to the real root. And, yes, I did "update-initramfs -u" after putting that entry into /etc/crypttab. Package-specific info: -- /proc/cmdline BOOT_IMAGE=/vmlinuz-3.16.0-4-amd64 root=/dev/mapper/crypt--vg-root ro quiet -- /etc/crypttab sdc5_crypt UUID=6c75641f-6905-4ec5-959f-84d4aecd9481 none luks swap /dev/disk/by-id/ata-VMware_Virtual_SATA_Hard_Drive_00000000000000000001-part1 /dev/urandom swap,noearly aux /dev/disk/by-id/ata-VMware_Virtual_IDE_Hard_Drive_01000000000000000001-part1 /dev/disk/by-label/keys:/keys luks,noearly,keyscript=/lib/cryptsetup/scripts/passdev -- /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/crypt--vg-root / ext4 errors=remount-ro 0 1 # /boot was on /dev/sdc1 during installation UUID=662211d8-6f25-47d2-b61e-f533bbb5bd1b /boot ext2 defaults 0 2 # /dev/mapper/crypt--vg-swap_1 none swap sw 0 0 /dev/mapper/swap none swap sw 0 0 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 -- lsmod Module Size Used by nfsd 263032 2 auth_rpcgss 51211 1 nfsd oid_registry 12419 1 auth_rpcgss nfs_acl 12511 1 nfsd nfs 188136 0 lockd 83389 2 nfs,nfsd fscache 45542 1 nfs sunrpc 237402 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl sha256_ssse3 25692 2 sha256_generic 16804 1 sha256_ssse3 ecb 12737 1 ppdev 16782 0 vmw_balloon 12658 0 coretemp 12820 0 psmouse 99249 0 serio_raw 12849 0 pcspkr 12595 0 snd_ens1371 23119 0 snd_rawmidi 26806 1 snd_ens1371 uvcvideo 79005 0 snd_seq_device 13132 1 snd_rawmidi videobuf2_vmalloc 12816 1 uvcvideo snd_ac97_codec 118711 1 snd_ens1371 btusb 29721 0 evdev 17445 3 videobuf2_memops 12519 1 videobuf2_vmalloc bluetooth 374429 2 btusb 6lowpan_iphc 16588 1 bluetooth rfkill 18867 1 bluetooth videobuf2_core 47787 1 uvcvideo v4l2_common 12995 1 videobuf2_core videodev 126451 3 uvcvideo,v4l2_common,videobuf2_core media 18305 2 uvcvideo,videodev snd_pcm 88662 2 snd_ac97_codec,snd_ens1371 snd_timer 26614 1 snd_pcm snd 65244 6 snd_ac97_codec,snd_timer,snd_pcm,snd_rawmidi,snd_ens1371,snd_seq_device soundcore 13026 1 snd ac97_bus 12510 1 snd_ac97_codec gameport 13449 1 snd_ens1371 parport_pc 26300 0 battery 13356 0 parport 35749 2 ppdev,parport_pc processor 28221 0 thermal_sys 27642 1 processor vmwgfx 165847 0 ttm 77862 1 vmwgfx drm_kms_helper 49210 1 vmwgfx drm 249955 4 ttm,drm_kms_helper,vmwgfx ac 12715 0 i2c_piix4 20864 0 button 12944 0 shpchp 31121 0 i2c_core 46012 5 drm,i2c_piix4,drm_kms_helper,v4l2_common,videodev vmw_vmci 55383 0 autofs4 35529 2 ext4 473802 2 crc16 12343 2 ext4,bluetooth mbcache 17171 1 ext4 jbd2 82413 1 ext4 algif_skcipher 13008 0 af_alg 12988 1 algif_skcipher dm_crypt 22595 2 dm_mod 89405 8 dm_crypt hid_generic 12393 0 usbhid 44460 0 hid 102264 2 hid_generic,usbhid sg 29973 0 sr_mod 21903 0 cdrom 47424 1 sr_mod sd_mod 44356 5 crc_t10dif 12431 1 sd_mod crct10dif_generic 12581 0 ata_generic 12490 0 crct10dif_pclmul 13387 1 crct10dif_common 12356 3 crct10dif_pclmul,crct10dif_generic,crc_t10dif crc32_pclmul 12915 0 crc32c_intel 21809 0 ghash_clmulni_intel 12978 0 aesni_intel 151423 6 aes_x86_64 16719 1 aesni_intel lrw 12757 1 aesni_intel gf128mul 12970 1 lrw glue_helper 12695 1 aesni_intel ablk_helper 12572 1 aesni_intel cryptd 14516 5 ghash_clmulni_intel,aesni_intel,ablk_helper ahci 33291 1 libahci 27158 1 ahci ehci_pci 12512 0 uhci_hcd 43499 0 ehci_hcd 69837 1 ehci_pci usbcore 195340 6 btusb,uhci_hcd,uvcvideo,ehci_hcd,ehci_pci,usbhid ata_piix 33592 0 e1000 122545 0 usb_common 12440 1 usbcore libata 177457 4 ahci,libahci,ata_generic,ata_piix mptspi 21948 2 scsi_transport_spi 27851 1 mptspi mptscsih 26657 1 mptspi mptbase 73042 2 mptspi,mptscsih scsi_mod 191405 7 sg,scsi_transport_spi,libata,mptspi,sd_mod,sr_mod,mptscsih -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages cryptsetup depends on: ii cryptsetup-bin 2:1.6.6-5 ii debconf [debconf-2.0] 1.5.56 ii dmsetup 2:1.02.90-2.2 ii libc6 2.19-18+deb8u1 Versions of packages cryptsetup recommends: ii busybox 1:1.22.0-9+deb8u1 ii console-setup 1.123 ii initramfs-tools [linux-initramfs-tool] 0.120 ii kbd 1.15.5-2 Versions of packages cryptsetup suggests: pn dosfstools <none> pn keyutils <none> ii liblocale-gettext-perl 1.05-8+b1 -- debconf information: cryptsetup/prerm_active_mappings: true