systemd version the issue has been seen with
257.7-1.fc42
Used distribution
Fedora 42
Linux kernel version used
6.15.8-200
CPU architectures issue was seen on
x86_64
Component
systemd-cryptsetup, systemd-gpt-auto-generator
Expected behaviour you didn't see
When using the DDI specification to create partitions for mount points / and /home, we should be able to have different LUKS passwords for each partition.
Unexpected behaviour you saw
When using the DDI specification to create partitions for mount points / and /home, we are forced to use the same LUKS password for both partitions.
Indeed, if we try to change the password of the /home partition via the command systemd-cryptenroll --password --wipe-slot=password /dev/sdXY, on the next boot, the system will enter emergency mode.
By checking the failed units, we realize that the problem comes from systemd-cryptsetup@home.service.
The logs indicate too many attempts to decrypt the partition:
[root@fedora ~]$ systemctl status systemd-cryptsetup@home.service
systemd-cryptsetup@home.service - Cryptography Setup for home
Loaded: loaded (/run/systemd/generator.late/systemd-cryptsetup@home.service; generated)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: failed (Result: exit-code) since Wed 2025-07-30 16:13:13 CEST; 6s ago
Duration: 1min 55.714s
Invocation: 46bad63526434c09bfa88db39a4a5db7
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Process: 995 ExecStart=/usr/bin/systemd-cryptsetup attach home /dev/disk/by-diskseq/2-part3 tpm2-device=auto (code=exited, status=1/FAILURE)
Main PID: 995 (code=exited, status=1/FAILURE)
Mem peak: 991.6M
CPU: 9.157s
Jul 30 16:13:04 fedora systemd-cryptsetup[995]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-diskseq/2-part3.
Jul 30 16:13:08 fedora systemd-cryptsetup[995]: Failed to activate with specified passphrase. (Passphrase incorrect?)
Jul 30 16:13:13 fedora systemd-cryptsetup[995]: Too many attempts to activate; giving up.
Jul 30 16:13:13 fedora systemd[1]: systemd-cryptsetup@home.service: Main process exited, code=exited, status=1/FAILURE
Jul 30 16:13:13 fedora systemd[1]: systemd-cryptsetup@home.service: Failed with result 'exit-code'.
Jul 30 16:13:13 fedora systemd[1]: Failed to start systemd-cryptsetup@home.service - Cryptography Setup for home.
Jul 30 16:13:13 fedora systemd[1]: systemd-cryptsetup@home.service: Consumed 9.157s CPU time, received 991.6M bytes.By looking closer, we realize that this unit is generated via systemd-gpt-auto-generator and that the kernel keyring is shared (thanks to KeyringMode=shared).
So it tries to use the same password as the one used to decrypt the / partition.
Steps to reproduce the problem
To test, you can use the following mkosi tree:
├── mkosi.conf
│ [Output]
│ OutputDirectory=mkosi.output
│ SplitArtifacts=uki,partitions
│ Format=disk
│ ImageId=test
│ ManifestFormat=json
│
│ [Distribution]
│ Distribution=fedora
│ Release=42
│
│ [Content]
│ Packages=
│ bash-color-prompt
│ bpftool
│ cryptsetup
│ distribution-gpg-keys
│ dnf5
│ fido2-tools
│ git-core
│ integritysetup
│ iproute
│ iproute-tc
│ iputils
│ kernel-core
│ libcap-ng-utils
│ libfido2
│ man-db
│ openssh
│ openssh-clients
│ openssh-server
│ pam
│ passwd
│ pcsc-lite
│ pcsc-lite-ccid
│ perf
│ polkit
│ procps-ng
│ python3
│ rpm
│ systemd-boot
│ systemd-container
│ systemd-networkd
│ systemd-networkd-defaults
│ systemd-oomd-defaults
│ systemd-resolved
│ systemd-ukify
│ tpm2-tools
│ tpm2-tss
│ veritysetup
│ vim-minimal
│ zram-generator-defaults
│ e2fsprogs
│
│ VolatilePackages=
│ systemd-boot
│ systemd-container
│ systemd-networkd
│ systemd-networkd-defaults
│ systemd-oomd-defaults
│ systemd-resolved
│ systemd-ukify
│
│
│ [Content]
│ Packages= bash
│ coreutils
│ util-linux
│ systemd
│ systemd-boot
│ systemd-udev
│ kernel-core
│ keyutils
│
│ RootPassword=root
│ Autologin=yes
│
│ [Runtime]
│ RuntimeSize=50G
├──mkosi.extra
│ ├── usr
│ └──lib
│ └──repart.d
│ ├──00-esp.conf
│ │ [Partition]
│ │ Type=esp
│ ├──10-root_a.conf
│ │ [Partition]
│ │ Type=root
│ │ Label=_empty
│ │ SizeMaxBytes=15G
│ ├──11-root_b.conf
│ │ [Partition]
│ │ Type=root
│ │ Label=_empty
│ │ SizeMaxBytes=15G
│ ├──20-home.conf
│ │ [Partition]
│ │ Type=home
├──mkosi.output
├──mkosi.passphrase
│ test
├──mkosi.repart
│ ├──00-esp.conf
│ │ [Partition]
│ │ Type=esp
│ │ Format=vfat
│ │ CopyFiles=/efi:/
│ │ CopyFiles=/boot:/
│ │ SizeMinBytes=1G
│ ├──10-root.conf
│ │ [Partition]
│ │ Type=root
│ │ Format=ext4
│ │ Label=%M_%A_root
│ │ ExcludeFilesTarget=/home/
│ │ CopyFiles=/
│ │ Encrypt=key-file
│ │ SizeMaxBytes=15G
│ ├──20-home.conf
│ │ [Partition]
│ │ Type=home
│ │ Format=ext4
│ │ Encrypt=key-file
│ │ CopyFiles=/home:/
│ │ GrowFileSystem=yes
Additional program output to the terminal or log subsystem illustrating the issue
A workaround to fix this issue is to create a drop-in file for the unit /etc/systemd/system/systemd-cryptsetup@.service.d/override.conf by modifying the KeyringMode value to private.
Like this:
[Service]
KeyringMode=private
Or alternatively, copy the generated unit via systemd-gpt-auto-generator into /etc/systemd/system to take precedence over the one in /run/systemd/generator.late/systemd-cryptsetup@home.service in order to increase the number of attempts (i.e tries=5)
Wouldn't it be interesting to add a way to directly configure the sharing or not of the keyring from the generator? via for example a kernel command line parameter.
systemd version the issue has been seen with
257.7-1.fc42
Used distribution
Fedora 42
Linux kernel version used
6.15.8-200
CPU architectures issue was seen on
x86_64
Component
systemd-cryptsetup, systemd-gpt-auto-generator
Expected behaviour you didn't see
When using the DDI specification to create partitions for mount points / and /home, we should be able to have different LUKS passwords for each partition.
Unexpected behaviour you saw
When using the DDI specification to create partitions for mount points / and /home, we are forced to use the same LUKS password for both partitions.
Indeed, if we try to change the password of the /home partition via the command systemd-cryptenroll --password --wipe-slot=password /dev/sdXY, on the next boot, the system will enter emergency mode.
By checking the failed units, we realize that the problem comes from systemd-cryptsetup@home.service.
The logs indicate too many attempts to decrypt the partition:
By looking closer, we realize that this unit is generated via systemd-gpt-auto-generator and that the kernel keyring is shared (thanks to KeyringMode=shared).
So it tries to use the same password as the one used to decrypt the / partition.
Steps to reproduce the problem
To test, you can use the following mkosi tree:
├── mkosi.conf │ [Output] │ OutputDirectory=mkosi.output │ SplitArtifacts=uki,partitions │ Format=disk │ ImageId=test │ ManifestFormat=json │ │ [Distribution] │ Distribution=fedora │ Release=42 │ │ [Content] │ Packages= │ bash-color-prompt │ bpftool │ cryptsetup │ distribution-gpg-keys │ dnf5 │ fido2-tools │ git-core │ integritysetup │ iproute │ iproute-tc │ iputils │ kernel-core │ libcap-ng-utils │ libfido2 │ man-db │ openssh │ openssh-clients │ openssh-server │ pam │ passwd │ pcsc-lite │ pcsc-lite-ccid │ perf │ polkit │ procps-ng │ python3 │ rpm │ systemd-boot │ systemd-container │ systemd-networkd │ systemd-networkd-defaults │ systemd-oomd-defaults │ systemd-resolved │ systemd-ukify │ tpm2-tools │ tpm2-tss │ veritysetup │ vim-minimal │ zram-generator-defaults │ e2fsprogs │ │ VolatilePackages= │ systemd-boot │ systemd-container │ systemd-networkd │ systemd-networkd-defaults │ systemd-oomd-defaults │ systemd-resolved │ systemd-ukify │ │ │ [Content] │ Packages= bash │ coreutils │ util-linux │ systemd │ systemd-boot │ systemd-udev │ kernel-core │ keyutils │ │ RootPassword=root │ Autologin=yes │ │ [Runtime] │ RuntimeSize=50G ├──mkosi.extra │ ├── usr │ └──lib │ └──repart.d │ ├──00-esp.conf │ │ [Partition] │ │ Type=esp │ ├──10-root_a.conf │ │ [Partition] │ │ Type=root │ │ Label=_empty │ │ SizeMaxBytes=15G │ ├──11-root_b.conf │ │ [Partition] │ │ Type=root │ │ Label=_empty │ │ SizeMaxBytes=15G │ ├──20-home.conf │ │ [Partition] │ │ Type=home ├──mkosi.output ├──mkosi.passphrase │ test ├──mkosi.repart │ ├──00-esp.conf │ │ [Partition] │ │ Type=esp │ │ Format=vfat │ │ CopyFiles=/efi:/ │ │ CopyFiles=/boot:/ │ │ SizeMinBytes=1G │ ├──10-root.conf │ │ [Partition] │ │ Type=root │ │ Format=ext4 │ │ Label=%M_%A_root │ │ ExcludeFilesTarget=/home/ │ │ CopyFiles=/ │ │ Encrypt=key-file │ │ SizeMaxBytes=15G │ ├──20-home.conf │ │ [Partition] │ │ Type=home │ │ Format=ext4 │ │ Encrypt=key-file │ │ CopyFiles=/home:/ │ │ GrowFileSystem=yesAdditional program output to the terminal or log subsystem illustrating the issue
A workaround to fix this issue is to create a drop-in file for the unit /etc/systemd/system/systemd-cryptsetup@.service.d/override.conf by modifying the KeyringMode value to private.
Like this:
Or alternatively, copy the generated unit via systemd-gpt-auto-generator into /etc/systemd/system to take precedence over the one in /run/systemd/generator.late/systemd-cryptsetup@home.service in order to increase the number of attempts (i.e tries=5)
Wouldn't it be interesting to add a way to directly configure the sharing or not of the keyring from the generator? via for example a kernel command line parameter.