Re: luks, crypttab: why 3 partition only 2 passphrases entered
On Aug/07/2018, Jonathan Dowland wrote:
> On Sat, Aug 04, 2018 at 10:54:59PM +0100, Carles Pina i Estany wrote:
> > And I'm now 99% sure that the culprit of all this confusion is...
> > plymouth! It has a password caching facility and systemd seems to use it
> > to get the cached password.
> Almost certainly, yes, although, if plymouth is passing the password
> through to systemd, then it need not be caching it itself, as systemd
> caches disk passwords for a short while (I think 5 minutes if I recall
> correctly). See systemd-ask-password(1) for an introduction to the
> architecture of systemd's password stuff.
I did some further digging after sending my last message.
The Debian initrd scripts use Plymouth (if installed, of course, else
other methods... I had it installed) to ask the user for passwords and
try to mount the root partition and minimum partitions.
When Debian initrd scripts are finished they execute systemd which will
request from plymouthd the cached passwords (using a local socket I
think). They can be seen if adding: ply_trace("Carles password: %s",
password); in the while (node != NULL) after 'ply_trace ("There are %d
cached passwords",' (I should have had git for these changes :-) ) (in
(also passing "debug" to the kernel, then journalct to see the plymouth
All the passwords are cached, even invalid ones: Plymouth doesn't know
if they were valid or not and the Debian scripts doesn't invalidate
them, not even sure if Plymouth supports invalidation of passwords :)
Systemd requests all the cached passwords from plymouthd.
Then systemd tries to mount the other partitions with the requested
passwords, if it works it will add the passwords in the Kernel keyring
and can it can be seen with:
root@pinux:~# keyctl show
696839878 --alswrv 0 65534 keyring: _uid_ses.0
373345068 --alswrv 0 65534 \_ keyring: _uid.0
600178798 --alswrv 0 0 \_ user: cryptsetup
(this can be tested in my system at any time with:
systemctl stop systemd-cryptsetup@ssd_dades_crypt.service
systemctl start systemd-cryptsetup@ssd_dades_crypt.service
or just stop, start (enter password), stop, start (password not needed
because already in the keyring, I thnk that 5 minutes by default)
That was quite lot of fun!
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157