RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 845701 - Crypttab does not mount volume at boot
Summary: Crypttab does not mount volume at boot
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: initscripts
Version: 6.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukáš Nykrýn
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-03 22:43 UTC by Todd
Modified: 2016-11-25 13:05 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-06 18:46:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Todd 2012-08-03 22:43:11 UTC 
Hi All,

I am coming from the "Community": Scientific Linux 6.2, 64 bit.  Would one of our interpret heroes at Red Hat please fix this for me?

I just encrypted my backup drives.  In the process, I found the /etc/crypttab ignores my entry for my backup drive, forcing an error at fstab time.  I am forced to mount my backup drive with rc.local.

$ grep -i lin-bak /etc/crypttab
lin-bak /dev/sdb1 /etc/crypttab.lin-bak.key

$ grep -i lin-bak /etc/fstab
/dev/mapper/lin-bak /lin-bak ext4 defaults 1 0

fstab errors out with mount: "special device /dev/mapper/lin-bak does not exist".  This error is what you would expect as /etc/crypttab does not create /dev/mapper/lin-bak.   (/dev/mapper/lin-bak disappears after each reboot.)

There are no other errors other than the mount error at boot up.

My other UUID mounted drives (my main and swap drives) do get /dev/mapper entries and do mount correctly.

Here is my rc.local work around:

# if I can not get /etc/crypttab to work, this will populate /dev/mapper
# with lin-bak and mount /lin-bak

if [ ! -L /dev/mapper/lin-bak ]; then
   cryptsetup luksOpen /dev/sdb1 lin-bak < /etc/crypttab.lin-bak.key
   mount /lin-bak
fi

Many thanks,
-T
Comment 2 Milan Broz 2012-08-06 09:06:27 UTC 
Does
cryptsetup luksOpen /dev/sdb1 lin-bak -d /etc/crypttab.lin-bak.key
work?

If not, your keyfile contains EOL (\n) and because keyfiles take EOL as normal char (while in interactive or pipe) input EOL causes end of input.

So in this case just trim your keyfile so it contain only chars before first \n - or change LUKS keyslot to use this keyfile. 
(Check with "hexdump -c /etc/crypttab.lin-bak.key".)
Comment 3 Todd 2012-08-06 17:10:16 UTC 
# umount /lin-bak

# cryptsetup remove /dev/mapper/lin-bak

# cryptsetup luksOpen /dev/sdb1 lin-bak -d /etc/crypttab.lin-bak.key
No key available with this passphrase.

# cryptsetup luksOpen /dev/sdb1 lin-bak < /etc/crypttab.lin-bak.key
<It worked>


And,
# hexdump -c /etc/crypttab.lin-bak.key
0000010 ...   \n

At this point, I have to cry foul!  "vi -b /etc/crypttab.lin-bak.key" shows this file to be a simple one line file.  If I add a second empty line, hexdump gives me two "\n" at the end of the file.  Since "vi" will not create a "\n" free file, how in the world am I to create a text file without a "\n" at the end?

And, more foul,
# hexdump -c < /etc/crypttab.lin-bak.key
0000010 ...   \n

Which does work, also has a "\n" in it!

I am really confused!

-T
Comment 4 Todd 2012-08-06 17:25:54 UTC 
More confusion, if I am not mistaken, if I find a way to remove the "\n", do I not get a 1024 character long file?
Comment 5 Milan Broz 2012-08-06 18:46:47 UTC 
You can create it e.g.
echo -n "mypassword" >file

For removing \n... I would ether use dd (dd if=oldfile of=newfile bs=1 count=N-1) or something even more clever like... vi?

:set binary
:set noeol
(first hit on google btw ;-)

If you use it as keyfile (luksAddKey for example) then the \n will be just part of keyfile. 

So this is not bug, just quite problematic handling of \n in cryptsetup (which must be there for compatibility reasons...)
Comment 6 Todd 2012-08-06 19:36:29 UTC 
Hi Milan,

Maybe not a bug, but really bad programming.  Who in the world in going to know they have to create the keyfile without the "\n"?

This there any chance you can use your considerable influence to get this fixed?  If not, can you at least get something put into the man page on the "\n" free requirement and how to create a  "\n" free keyfile?

Many thanks,
-T
Comment 7 Todd 2012-08-06 19:53:22 UTC 
Hi Milan,

I rebooted with my rc.local work around commented out.  I am confirming that your fix works.  /lin-bak mounted properly from fstab.

Thinking about the problem: I do believe that crypttab is expected to accept lie feeds (\n) as a possible password, so this is why I had the problem.  That being the case, the \n feed requirement must be documented in the man page.  Otherwise it is going to drive a lot of folks nuts, especially since I googled my eyeballs out and found nothing before reporting to you.

Should I open a new bug on the man page or can you just use this one and change the name?
Comment 8 Milan Broz 2012-08-06 20:03:28 UTC 
see man cryptsetup - NOTES ON PASSPHRASE PROCESSING FOR LUKS section

crypttab has parameter for keyfile, so it is processed like a keyfile.
(but I do not maintain crypttab processing...)

Btw Debian crypttab man page has this:

The third field, key file, describes the file to use as a key for decrypting the data of the source device. Note that the entire key file will be used as the passphase; the passphase must not be followed by a newline character.

No idea why it is not in Fedora/RHEL man page. Reopen this bug it you want to fix man crypttab page (it is part of initscritps package).
Comment 9 Milan Broz 2012-08-06 20:10:03 UTC 
(...and eventually RHEL can do it even without "passphase/passphrase" typos :-)
Comment 10 Todd 2012-08-06 20:16:59 UTC 
(In reply to comment #9)
> (...and eventually RHEL can do it even without "passphase/passphrase" typos
> :-)

I went to publik skol!  :-)

How about my question about correcting the man page?  If you decide to do that, I will volunteer to write it.  (You can fix my spelling and cherry it out)

-T
Comment 11 Todd 2012-08-06 23:27:58 UTC 
Please move all activity on this bug to:

crypttab tab man page password section needs to be updated
https://bugzilla.redhat.com/show_bug.cgi?id=846140
Note You need to log in before you can comment on or make changes to this bug.