[Bug 2084251] Re: LUKS not detected or prompted for on boot

Thu Nov 7 13:06:14 UTC 2024

> ### Edit: The deboostrap test is not applicable, because I wrongly assumed we would adjust the priorities 
> in SRU, but after consulting an AA, it is not worth doing for oracular.

I don't understand this, because the diff shows that the priority was
adjusted in the proposed package:

--- a/debian/control
+++ b/debian/control
@@ -95,9 +95,9 @@ Recommends: default-dbus-system-bus | dbus-system-bus,
             networkd-dispatcher,
             systemd-timesyncd | time-daemon,
             systemd-resolved,
+            systemd-cryptsetup,
             ${dlopen:Recommends},
 Suggests: systemd-container,
-          systemd-cryptsetup,
           systemd-homed,
           systemd-userdbd,
           systemd-boot,
@@ -644,6 +644,7 @@ Description: Provides the systemd-repart utility
  and dm-verity among other things.
 
 Package: systemd-cryptsetup
+Priority: important
 Build-Profiles: <!stage1>
 Architecture: linux-any
 Depends: ${shlibs:Depends},

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2084251

Title:
  LUKS not detected or prompted for on boot

Status in cryptsetup package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  In Progress
Status in cryptsetup source package in Oracular:
  Invalid
Status in systemd source package in Oracular:
  Fix Committed

Bug description:
  [Impact]

  Upgrades from Noble to Oracular do not pull systemd-cryptsetup in by
  default. Users that rely on e.g. cryptswap, or something else in
  /etc/crypttab that was previously handled by systemd-cryptsetup, they
  will face regressions on upgrades.

  Users that install 24.10 as ZFS + encryption also see issues due to
  missing systemd-cryptsetup. Note that this patch for systemd does not
  itself fix the installation issue.

  [Test Plan]

  1. The systemd-cryptsetup package should be installed on upgrades from
  Noble to Oracular:

  $ lxc launch ubuntu:noble noble
  $ lxc exec noble bash

  Then, in the container:

  $ cat > /etc/apt/sources.list.d/proposed.sources << EOF
  Types: deb
  URIs: http://us.archive.ubuntu.com/ubuntu/
  Suites: noble-proposed
  Components: main restricted universe multiverse
  Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
  EOF
  cat <<EOF >/etc/apt/preferences.d/proposed-updates
  # Make sure that after we re-write sources, the correct version is pulled in.
  Package: *
  Pin: release a=oracular-proposed
  Pin-Priority: 500
  EOF
  $ do-release-upgrade
  ...
  $ apt policy systemd-cryptsetup

  Without the fix, systemd-cryptsetup would not be installed
  automatically during the upgrade.

  ### Edit: The deboostrap test is not applicable, because I wrongly
  assumed we would adjust the priorities in SRU, but after consulting an
  AA, it is not worth doing for oracular.

  2. The systemd-cryptsetup package should be installed when
  bootstrapping oracular:

  $ debootstrap --extra-suites=oracular-proposed oracular oracular
  ...
  $ systemd-nspawn -D oracular

  Then, in the container:

  $ apt policy systemd-cryptsetup

  Without the fix, systemd-cryptsetup would not be installed during the
  bootstrap.

  [Where problems could occur]

  The patch is to change the Priority to important for systemd-
  cryptsetup, and to add Recommends: systemd-cryptsetup back to systemd.
  Hence, issues would be related to installing systemd, or maybe
  bootstrapping.

  We should make sure there are no typos in the patch :)

  [Original Description]

  Hi,

  I just upgraded from Noble to Oracular. It seems post-upgrade, only a
  single LUKS device is decrypted on boot.

  My `/etc/crypttab` is as follows:

  | nvme0n1p3_crypt UUID=c82c8c6c-e363-473f-a655-a325d4e6cf3b none luks,discard
  | nvme0n1p4_crypt UUID=3de219b7-3e0c-437b-a0eb-d3cb8087d74e none luks,discard

  `lsblk -o +UUID` showing UUIDs:

  | ├─nvme0n1p3         259:3    0   384G  0 part                               c82c8c6c-e363-473f-a655-a325d4e6cf3b
  | │ └─nvme0n1p3_crypt 252:0    0   384G  0 crypt /                            f48e2583-013f-474c-9f57-5deabef8d833
  | └─nvme0n1p4         259:4    0 546.8G  0 part                               3de219b7-3e0c-437b-a0eb-d3cb8087d74e
  |   └─nvme0n1p4_crypt 252:1    0 546.7G  0 crypt /home                        dfea2d4c-f43e-4ef9-8938-3255f7987dfa

  I can confirm that the `crypttab` entry is correct because I can run
  `cryptdisks_start nvme0n1p4_crypt` on the recovery prompt and it
  decrypts it.

  I haven't yet tried downgrading `cryptsetup`, will give that a try
  tomorrow.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2084251/+subscriptions


