Hi,
On Aug/07/2018, Jonathan Dowland wrote: > On Sat, Aug 04, 2018 at 10:54:59PM +0100, Carles Pina i Estany wrote: > > > > And I'm now 99% sure that the culprit of all this confusion is... > > plymouth! It has a password caching facility and systemd seems to use it > > to get the cached password. > > Almost certainly, yes, although, if plymouth is passing the password > through to systemd, then it need not be caching it itself, as systemd > caches disk passwords for a short while (I think 5 minutes if I recall > correctly). See systemd-ask-password(1) for an introduction to the > architecture of systemd's password stuff. I did some further digging after sending my last message. The Debian initrd scripts use Plymouth (if installed, of course, else other methods... I had it installed) to ask the user for passwords and try to mount the root partition and minimum partitions. When Debian initrd scripts are finished they execute systemd which will request from plymouthd the cached passwords (using a local socket I think). They can be seen if adding: ply_trace("Carles password: %s", password); in the while (node != NULL) after 'ply_trace ("There are %d cached passwords",' (I should have had git for these changes :-) ) (in ply_boot_connection_on_request function). (also passing "debug" to the kernel, then journalct to see the plymouth debug messages). All the passwords are cached, even invalid ones: Plymouth doesn't know if they were valid or not and the Debian scripts doesn't invalidate them, not even sure if Plymouth supports invalidation of passwords :) Systemd requests all the cached passwords from plymouthd. Then systemd tries to mount the other partitions with the requested passwords, if it works it will add the passwords in the Kernel keyring and can it can be seen with: root@pinux:~# keyctl show Session Keyring 696839878 --alswrv 0 65534 keyring: _uid_ses.0 373345068 --alswrv 0 65534 \_ keyring: _uid.0 600178798 --alswrv 0 0 \_ user: cryptsetup root@pinux:~# (this can be tested in my system at any time with: systemctl stop systemd-cryptsetup@ssd_dades_crypt.service systemctl start systemd-cryptsetup@ssd_dades_crypt.service keyctl show or just stop, start (enter password), stop, start (password not needed because already in the keyring, I thnk that 5 minutes by default) That was quite lot of fun! Cheers, -- Carles Pina i Estany Web: http://pinux.info || Blog: http://pintant.cat GPG Key 0x8CD5C157