[Bug 1879146] [NEW] Cryptsetup ignoring KEYFILE_PATTERN

Aimo Ella aimo.ella at gmail.com
Sun May 17 11:22:37 UTC 2020 

Public bug reported:

Steps to reproduce:

While installing Ubuntu (see versions below) into a LUKS1 container, I
choose "Something else" for installation type and select installation-
specific LVM volume for rootfs. During installation, before Grub gets
installed at end, I inject support for encrypted /boot into the target
rootfs by running:

echo "sda2pv UUID=$(cryptsetup luksUUID /dev/sda2) none luks" >> /target/etc/crypttab
echo 'GRUB_ENABLE_CRYPTODISK=y' >> /target/etc/default/grub

Once installation is over, I reboot into the newly installed Ubuntu. To
avoid typing passphrase twice, I attempt to add a keyfile exactly as
instructed:

# Add keyfile.
mkdir -p -m go=,u=rwx /etc/luks
( umask go=,u+rx && dd if=/dev/urandom of=/etc/luks/sda2.key bs=1 count=64 )
cryptsetup luksAddKey /dev/sda2 /etc/luks/sda2.key

# Deploy keyfile.
echo 'KEYFILE_PATTERN="/etc/luks/*.key"' >> /etc/initramfs-tools/conf-hook
echo 'UMASK=0077' >> /etc/initramfs-tools/initramfs.conf
sed "s|^\(sda2pv .*\) none \(.*\)$|\1 /etc/luks/sda2.key \2|" /etc/crypttab
update-initramfs -u -k all


Expected behaviour:

Loading the keyfile succeeds and Initramfs does not ask for passphrase
any more (only Grub does).


Actual behaviour:

No matter how carefully I follow Cryptsetup documentation, every time I
add refence to my keyfile into /etc/crypttab, update-initramfs tells me:

cryptsetup: WARNING: Skipping root target sda2pv: uses a key file

and does not load my keyfile into Initramfs, despite the matching
KEYFILE_PATTERN setting.

I experience the problem both in Ubuntu 19.10 and Ubuntu 20.04 LTS
(which have cryptsetup version 2.2.0 and 2.2.2, respectively). See
attachment file encrypted-multi-buntu.txt for full yet brief account of
my setup and motivations.

I have repeated the procedure over and over again,
 o with one single Ubuntu and two,
 o with Secure Boot disabled and not,
 o with resume from hibernation disabled and not,
 o with /boot and swap in rootfs volume and in separate volumes,
 o and more,
but have not found a solution.

My main sources:
 o documents in /usr/share/doc/cryptsetup-initramfs/
 o https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
 o https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019


I have come to the conclusion that cryptsetup does not behave as documented. Either the behaviour or the documentation has to be corrected. Which is it?

** Affects: cryptsetup (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: crypttab initramfs

** Attachment added: "full yet brief description of my setup"
   https://bugs.launchpad.net/bugs/1879146/+attachment/5372873/+files/encrypted-multi-buntu.txt

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1879146

Title:
  Cryptsetup ignoring KEYFILE_PATTERN

Status in cryptsetup package in Ubuntu:
  New

Bug description:
  Steps to reproduce:

  While installing Ubuntu (see versions below) into a LUKS1 container, I
  choose "Something else" for installation type and select installation-
  specific LVM volume for rootfs. During installation, before Grub gets
  installed at end, I inject support for encrypted /boot into the target
  rootfs by running:

  echo "sda2pv UUID=$(cryptsetup luksUUID /dev/sda2) none luks" >> /target/etc/crypttab
  echo 'GRUB_ENABLE_CRYPTODISK=y' >> /target/etc/default/grub

  Once installation is over, I reboot into the newly installed Ubuntu.
  To avoid typing passphrase twice, I attempt to add a keyfile exactly
  as instructed:

  # Add keyfile.
  mkdir -p -m go=,u=rwx /etc/luks
  ( umask go=,u+rx && dd if=/dev/urandom of=/etc/luks/sda2.key bs=1 count=64 )
  cryptsetup luksAddKey /dev/sda2 /etc/luks/sda2.key

  # Deploy keyfile.
  echo 'KEYFILE_PATTERN="/etc/luks/*.key"' >> /etc/initramfs-tools/conf-hook
  echo 'UMASK=0077' >> /etc/initramfs-tools/initramfs.conf
  sed "s|^\(sda2pv .*\) none \(.*\)$|\1 /etc/luks/sda2.key \2|" /etc/crypttab
  update-initramfs -u -k all

  
  Expected behaviour:

  Loading the keyfile succeeds and Initramfs does not ask for passphrase
  any more (only Grub does).

  
  Actual behaviour:

  No matter how carefully I follow Cryptsetup documentation, every time
  I add refence to my keyfile into /etc/crypttab, update-initramfs tells
  me:

  cryptsetup: WARNING: Skipping root target sda2pv: uses a key file

  and does not load my keyfile into Initramfs, despite the matching
  KEYFILE_PATTERN setting.

  I experience the problem both in Ubuntu 19.10 and Ubuntu 20.04 LTS
  (which have cryptsetup version 2.2.0 and 2.2.2, respectively). See
  attachment file encrypted-multi-buntu.txt for full yet brief account
  of my setup and motivations.

  I have repeated the procedure over and over again,
   o with one single Ubuntu and two,
   o with Secure Boot disabled and not,
   o with resume from hibernation disabled and not,
   o with /boot and swap in rootfs volume and in separate volumes,
   o and more,
  but have not found a solution.

  My main sources:
   o documents in /usr/share/doc/cryptsetup-initramfs/
   o https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
   o https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019

  
  I have come to the conclusion that cryptsetup does not behave as documented. Either the behaviour or the documentation has to be corrected. Which is it?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1879146/+subscriptions

More information about the foundations-bugs mailing list