> > Workaround: add "luks=no" to the kernel command line to disable > systemd's generator > > This worked great... until you try to add another partition to crypttab. > Since the cryptroot in initrd only does root, but luks=no disables all > others. > > Is there any clean solution that recognizes the granularity? Maybe one way > is to put all encrypted filesystems loaded via initramfs?
Not a clean solution, but a workaround for root partitions using a keyscript. Let systemd handle encrypted partitions via crypttab (i.e. don't use luks=no). But exclude the root partition by masking the generated unit. Example --------- My crypttab contains (among other entries): root_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /dev/disk/by-uuid/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:/keys/root luks,keyscript=passdev systemd will dynamically generate service units for all partitions in crypttab: $ ls -l /run/systemd/generator/systemd-cryptsetup* -rw-r--r-- 1 root root 867 Feb 2 16:31 /run/systemd/generator/systemd-cryptsetup@home_crypt.service -rw-r--r-- 1 root root 1103 Feb 2 16:31 /run/systemd/generator/systemd-cryptsetup@root_crypt.service -rw-r--r-- 1 root root 865 Feb 2 16:31 /run/systemd/generator/systemd-cryptsetup@var_crypt.service Whenever systemd tries to start systemd-cryptsetup@root_crypt.service during boot, it will timeout and fail. Feb 02 13:52:39 host systemd[1]: Timed out waiting for device dev-disk-by\x2duuid-yyyyyyyy\x2dyyyy\x2dyyyy\x2dyyyy\x2dyyyyyyyyyyyy:-keys-root.device. Feb 02 13:52:39 host systemd[1]: Dependency failed for Cryptography Setup for root_crypt. Feb 02 13:52:39 host systemd[1]: Dependency failed for Local Encrypted Volumes. Feb 02 13:52:39 host systemd[1]: cryptsetup.target: Job cryptsetup.target/start failed with result 'dependency'. Feb 02 13:52:39 host systemd[1]: systemd-cryptsetup@root_crypt.service: Job systemd-cryptsetup@root_crypt.service/start failed with result 'dependency'. But the following command will mask this unit, so that systemd will not attempt to start at all: systemctl mask systemd-cryptsetup@root_crypt.service Afterwards, my system boots without timeout and all encrypted partitions are available. HTH, Michel -- Security is not a product and not a process. Security is an emotion.
