On 23/11/2018 17:48, Guilhem Moulin wrote: > On Fri, 23 Nov 2018 at 17:27:11 +0100, Mikhail Morfikov wrote: >> On 23/11/2018 17:20, Guilhem Moulin wrote: >>> On Fri, 23 Nov 2018 at 17:09:24 +0100, Mikhail Morfikov wrote: >>>> Should the script be used when systemd takes care of opening the >>>> encrypted containers? Because it doesn't support those scripts. >>> >>> Indeed, but systemd isn't involved at initramfs stage. At this stage >>> unlocking is done by our own scripts from the ‘cryptsetup-initramfs’ >>> package (against which you filed this bug). >> >> So why when plymouth is installed, the system is able to use the kernel >> keyring >> without problems and hence successfully decrypt both of the drives with only >> one >> password? > > Because plymouthd caches them, too. See for instance > https://lists.debian.org/debian-user/2018/08/msg00031.html . > I think I get it now. Basically, what I wanted can't be done (the way I wanted). If I had two encrypted containers (none of them was the system one), I would open them via "systemctl start", and systemd would use the kernel keyring and open both containers with one password. If plymouth caches once typed password, it uses the password multiple times and that's why I don't have to type the password manually again. But in this way plymouth doesn't use the kernel keyring -- that's why the root keyring is empty after unlocking the system container. So, there are 3 different mechanisms (crypttab, systemd, plymouth) and they aren't compatible with each other. So the solution would be to use systemd+plymouth or to disable systemd generator for encrypted devices and use crypttab instead with the keyctl script. I could use either one, but I thought this can be done by using only systemd.
signature.asc
Description: OpenPGP digital signature
