Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cryptsetup generator emits RequiresMountsFor for crypto keyfile which prevents keyfile being placed on removable storage #3816

Closed
1 task
davestechshop opened this issue Jul 27, 2016 · 2 comments
Closed
1 task

cryptsetup generator emits RequiresMountsFor for crypto keyfile which prevents keyfile being placed on removable storage #3816

davestechshop opened this issue Jul 27, 2016 · 2 comments
Labels
cryptsetup

Comments

@davestechshop
Copy link

cryptsetup generator emits RequiresMountsFor for crypto keyfile. Therefore, when filesystem that holds this file is unmounted, it also stops cryptsetup service.

This behavior is incorrect because the filesystem and cryptokey is required only once, when the crypto container is initially setup.

Submission type

  • [X ] Bug report
  • Request for enhancement (RFE)

systemd version the issue has been seen with

systemd 230

Used distribution

Linux version 4.6.4-1-ARCH (builduser@tobias) (gcc version 6.1.1 20160707 (GCC) ) #1 SMP PREEMPT Mon Jul 11 19:12:32 CEST 2016

In case of bug report: Expected behaviour you didn't see

Expect to store keyfiles required by "cryptsetup open" on removable storage and to be able to remove that storage after the system boots up and the encrypted devices are decrypted / opened.

In case of bug report: Unexpected behaviour you saw

When I umount and then remove the USB disk, I see the following line in > journalctl:

Jul 25 22:11:20 mserver systemd[1]: systemd-cryptsetup@aluks.service:
Installed new job systemd-cryptsetup@aluks.service/stop
Thereafter, the encrypted devices are closed and unmounted.

A workaround is to leave the cryptokeys on the system, which is undesirable for security.

In case of bug report: Steps to reproduce the problem

add (non-root) btrfs dm-crypt storage to a system. Set up /etc/crypttab with a cryptokey stored on a removable storage device (e.g., a ESP). Boot the system and allow the encrypted storage to be opened and mounted using the keyfiles from /etc/crypttab (which are stored on the removable storage. Then umount and physically remove that removable storage. Check journalctl and note the unexpected stopping of cryptsetup service (and attempted unmounting of the storage).
@arvidjaar
Copy link
Contributor

I cannot reproduce it with systemd 232 (test version for openSUSE TW). Assuming I have key in /key filesystem, after umount /key LUKS device remains (and corresponding unit remains active).

I suppose, umount /key falls under "surprise removal" that is handled by BindsTo=, not Requires=, because after systemctl stop key.mount LUKS device is gone indeed. What a mess :( ...

xolox added a commit to xolox/python-crypto-drive-manager that referenced this issue Jan 17, 2018
@xolox
Detect and work around systemd/systemd#3816
0f2b530
xolox added a commit to xolox/python-crypto-drive-manager that referenced this issue Jan 17, 2018
@xolox
Real workaround for systemd/systemd#3816
1c2599c 
Previous lame workaround: 0f2b530
This was referenced Jul 8, 2019
Closed
Merged
@poettering poettering mentioned this issue Aug 31, 2020
Merged
@poettering
Copy link
Member

Should be fully addressed since 882f5f4. Closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cryptsetup
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arvidjaar @poettering @davestechshop