[systemd-devel] systemd prompts for luks key, but keyfile provided in crypttab

[Jan]

Alex <geosmin104 <at> gmail.com> writes:

> 
> 
> I was advised on IRC to post this issue here after trying IRC, forums,
searches, man pages, wikis, etc.
> 
> During init, systemd asks for the passphrase of non-root LUKS drives when
they are added to crypttab even though a keyfile is specified. The keyfile
is the same one I'm using to open (old) truecrypt drives (also with
crypttab) - those open fine and don't ask for the passphrase.
> 
> /etc/crypttab looks like this:
> 
> tcrypt_drive1    /dev/sdXY         /path/to/keyfile    tcrypt
> tcrypt_drive2    /dev/sdYX         /path/to/keyfile    tcrypt
> luks_drive1       UUID=$UUID    /path/to/keyfile
> luks_drive2       UUID=$UUID    /path/to/keyfile
> 
> What I've tried so far, in no particular order:
> 
> - Checking that crypttab's formatting is correct
> - Checking that keyfile has proper permissions
> - Adding and/or removing the 'luks' flag to the luks drives in crypttab
> - Specifying an entry in /etc/fstab for where the luks drives should be
mounted
> - Specifying an (identical) keyfile not being used by the tcrypt drives
> - Removing the tcrypt drives from crypttab and leaving only the luks drives
> - Using /dev/sdXY instead of UUID
> - Reversing the order of the tcrypt and luks drives in crypttab
> - Rebuilding initramfs
> - Checking that crypttab was not present in initramfs
> 
> Note: LUKS drives open fine if passphrase is manually typed in when
systemd prompts for it, as well as post-init when using cryptsetup and
specifying the keyfile.

What cryptsetup command do you use to open the device?

My best guess is the different handling of the keyfile itself. Afaik,
systemd-cryptsetup will use the full keyfile to open. That includes any
trailing new line. Depending on how you use cryptsetup, it will handle they
keyfile differently (see "Notes on Password Processing" in cryptsetup(8)).
You should try removing any trailing new lines from the keyfile.

Jan