[Bug 1362881] [NEW] Can't input password with keyscript=decrypt_keyctl in initramfs

Fri Aug 29 01:30:19 UTC 2014

Public bug reported:

Setup
---
Description:    Ubuntu 14.04.1 LTS
Release:        14.04

cryptsetup:
  Installed: 2:1.6.1-1ubuntu1
  Candidate: 2:1.6.1-1ubuntu1
  Version table:
 *** 2:1.6.1-1ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

My root device is luks-encrypted LVM volume. I have several other
devices encrypted with the same password, so I wanted to use
keyscript=decrypt_keyctl option in crypttab not to enter the password
several times. The problem is that while in initramfs, I cannot enter
the password (the terminal doesn't react to anything after it prompts
for password).

Reason for failure
---
I debugged the problem myself and the reason is:
- plymouthd  is running and grabbing all the input
- dekrypt_keyctl script uses askpass for password, so it doesn't get any input

Solution
---
The solution is to make the script plymouth-aware. I attach a patch which solved the issue for me.

Comment
---
The problem is deeper though - any keyscript needs to be plymouth-aware. I think what we can be done is the manpage updated - if plymouth is used (default) and the scrupt requires any input, it needs to be done via plymouth.

Workaround
---
I tried chmod -x /sbin/plymouthd as a workaround, but didn't fix the problem:
-plymouth scripts in init-top and init-bottom failed (that's probably fine, except they should not emit any error messages)
-I was able to decrypt the root device in initramfs
-for some reason (I didn't dig more) devices which did not have the keyscript set failed to be decrypted (prompt was displayed, but when I entered the password it was echoed to the console, devices were not decrypted and the init process stuck)

I does fix the problem if all the devices share the same key and all
have the script set though.

** Affects: cryptsetup (Ubuntu)
     Importance: Undecided
         Status: New

** Patch added: "decrypt_keyctl.patch"
   https://bugs.launchpad.net/bugs/1362881/+attachment/4189554/+files/decrypt_keyctl.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1362881

Title:
  Can't input password with keyscript=decrypt_keyctl in initramfs

Status in “cryptsetup” package in Ubuntu:
  New

Bug description:
  Setup
  ---
  Description:    Ubuntu 14.04.1 LTS
  Release:        14.04

  cryptsetup:
    Installed: 2:1.6.1-1ubuntu1
    Candidate: 2:1.6.1-1ubuntu1
    Version table:
   *** 2:1.6.1-1ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
          100 /var/lib/dpkg/status

  My root device is luks-encrypted LVM volume. I have several other
  devices encrypted with the same password, so I wanted to use
  keyscript=decrypt_keyctl option in crypttab not to enter the password
  several times. The problem is that while in initramfs, I cannot enter
  the password (the terminal doesn't react to anything after it prompts
  for password).

  Reason for failure
  ---
  I debugged the problem myself and the reason is:
  - plymouthd  is running and grabbing all the input
  - dekrypt_keyctl script uses askpass for password, so it doesn't get any input

  Solution
  ---
  The solution is to make the script plymouth-aware. I attach a patch which solved the issue for me.

  Comment
  ---
  The problem is deeper though - any keyscript needs to be plymouth-aware. I think what we can be done is the manpage updated - if plymouth is used (default) and the scrupt requires any input, it needs to be done via plymouth.

  Workaround
  ---
  I tried chmod -x /sbin/plymouthd as a workaround, but didn't fix the problem:
  -plymouth scripts in init-top and init-bottom failed (that's probably fine, except they should not emit any error messages)
  -I was able to decrypt the root device in initramfs
  -for some reason (I didn't dig more) devices which did not have the keyscript set failed to be decrypted (prompt was displayed, but when I entered the password it was echoed to the console, devices were not decrypted and the init process stuck)

  I does fix the problem if all the devices share the same key and all
  have the script set though.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1362881/+subscriptions