Description of problem: When cryptsetup is given a key file it will read the file to completion. Hence using /dev/urandom as a keyfile is not supported because the key generator will never terminate. However crypttab(5) specifically says you can use /dev/urandom as a key file. If you do this then booting fails. This makes it hard to create a random encryption for /tmp and swap. Version-Release number of selected component (if applicable): 1.2.0 How reproducible: Always Steps to Reproduce: 1. Set up a /etc/crypttab file with the contents: crypt-tmp <tmp-partition> /dev/urandom tmp crypt-swap <swap-partition> /dev/urandom swap where "<tmp-partition>" and "<swap-partition>" are block devices. 2. Set up /fstab to include /dev/mapper/crypt-tmp /tmp ext2 defaults 0 0 /dev/mapper/crypt-swap swap swap defaults 0 0 3. Reboot Actual results: Boot fails when trying to mount /tmp with a timeout message. Expected results: Boot completes as normal. /dev/mapper/crypt-tmp mounted and swap activated. Additional info:
After a bit more reading, I see that there is a distinction between the password and the key files. The problem is that crypttab treats field 3 as a password file, when really a random key file is required for random encryption of swap and tmp. There does not seem to be any way to pass a random key file via crypttab.
crypttab processing is quite tricky. If you use keyfile in plain-mode (non-LUKS), it will use keyfile as key directly. But using urandom for key should be possible for plain mode. This one crypttab entry should work: crypt-swap <swap-partition> /dev/urandom swap It is in fact systemd cryptsetup wrapper problem, but I thought I sent fix for this... swap encrypted by key read from urandom was one of the tested scenario. I'll check it once I have access to some F15 system again.
For me, crypttab is processed correctly - device mapper maps device, swap is created - using this line swap-plain-keyf /dev/sdb1 /dev/urandom swap But there seems problem when I add it to fstab with activation...
ok, this is another problem. I'll comment it on duplicate bug. *** This bug has been marked as a duplicate of bug 711394 ***
I do not believe that this bug is a duplicate of 711394, so I'm reopening it. That bug is about swap partitions. This one is primarily about /tmp. When I set my /etc/crypttab to crypt-tmp <tmp-partition> /keyfile tmp crypt-swap <swap-partition> /keyfile swap then everything works (apart of course from being insecure because the /keyfile is stored on the root partition). The problem is that the file referred to in /etc/crypttab is passed as a password not a key, and cryptsetup reads password files to completion. What I think is needed is some way to tell the crypttab processing to use /dev/urandom as a key file rather than a password file. Or is there some other workaround?
Does it finish boot somehow? If so, please paste lsblk output and crypttab entry after system boots (after timeout). crypttab is processed correctly on my system with urandom, and even swap was activated whan I removed that udev rule exception.
You can easily verify if it is clone of bug 711394: try edit /lib/udev/rules.d/60-persistent-storage.rules this way (remove dm-*): # skip rules for inappropriate block devices #KERNEL=="fd*|mtd*|nbd*|gnbd*|btibm*|dm-*|md*", GOTO="persistent_storage_end" KERNEL=="fd*|mtd*|nbd*|gnbd*|btibm*|md*", GOTO="persistent_storage_end" Does it help?
The problem is with tmp, not swap. I currently have my /etc/crypttab as crypt-tmp /dev/mapper/vg_eiffel-lv_tmp /tstkey tmp crypt-swap /dev/mapper/vg_eiffel-lv_swap /dev/urandom swap This boots fine. But if I set the tmp line to /dev/urandom then boot fails when the initialisation of /tmp times out. I think this is a bug in /etc/functions in the init_crypto function. There is a line: if [ -z "$makeswap" ] && cryptsetup isLuks "$src" 2>/dev/null ; then The "else" part passes the "-d" parameter to cryptsetup (i.e. use key file). I think that if this line was changed to if [ -z "$makeswap" ] && [ -z "$mke2fs" ] && cryptsetup isLuks "$src" 2>/dev/null ; then then the tmp encryption would work in the same way as the swap.
uff. systemd should do the job, /etc/functions should not be used here (and -d /dev/urandom works). But there seems to be another bug. Can you remove tmp mount from /etc/fstab, add urandom to crypttab, reboot and paste "lsblk -f" output? It works for me - urandom is used, fs is there. Just it is not mounted for some reason. (but I have no clear F15 system, it is partially updated from rawhide)
Here it is: NAME FSTYPE LABEL MOUNTPOINT sda ├─sda1 /boot └─sda2 ├─vg_eiffel-lv_root (dm-0) / ├─vg_eiffel-lv_swap (dm-1) │ └─crypt-swap (dm-7) [SWAP] ├─vg_eiffel-lg_var (dm-2) /var ├─vg_eiffel-lv_home (dm-3) /home ├─vg_eiffel-lv_tmp (dm-4) │ └─crypt-tmp (dm-6) /tmp └─vg_eiffel-lv_scratch (dm-5) /scratch sr0 sr1 sdb └─sdb1 So, if /etc/functions isn't being used, what does the crypttab processing?
crypttab is now parsed inside systemd and it calls libcryptsetup directly
so from the lsblk output you can see that crypt-tmp is mounted on /tmp, and crypt-swap is used as swap. So this is correct. How the wrong config looks like?
No info provided here, closing. I think that cryptsetup part works but there are still some issues in systemd regarding LUKS volumes anyway.