>  > Workaround: add "luks=no" to the kernel command line to disable
> systemd's generator
> This worked great... until you try to add another partition to crypttab.
> Since the cryptroot in initrd only does root, but luks=no disables all
> others.
> Is there any clean solution that recognizes the granularity? Maybe one way
> is to put all encrypted filesystems loaded via initramfs?

Not a clean solution, but a workaround for root partitions using a keyscript.

Let systemd handle encrypted partitions via crypttab (i.e. don't use luks=no).
But exclude the root partition by masking the generated unit.

My crypttab contains (among other entries):
root_crypt       UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  

systemd will dynamically generate service units for all partitions in crypttab:
$ ls -l /run/systemd/generator/systemd-cryptsetup*
-rw-r--r-- 1 root root  867 Feb  2 16:31 
-rw-r--r-- 1 root root 1103 Feb  2 16:31 
-rw-r--r-- 1 root root  865 Feb  2 16:31 

Whenever systemd tries to start systemd-cryptsetup@root_crypt.service during 
boot, it will timeout and fail.
Feb 02 13:52:39 host systemd[1]: Timed out waiting for device 
Feb 02 13:52:39 host systemd[1]: Dependency failed for Cryptography Setup for 
Feb 02 13:52:39 host systemd[1]: Dependency failed for Local Encrypted Volumes.
Feb 02 13:52:39 host systemd[1]: cryptsetup.target: Job cryptsetup.target/start 
failed with result 'dependency'.
Feb 02 13:52:39 host systemd[1]: systemd-cryptsetup@root_crypt.service: Job 
systemd-cryptsetup@root_crypt.service/start failed with result 'dependency'.

But the following command will mask this unit, so that systemd will not attempt 
to start at all:
systemctl mask systemd-cryptsetup@root_crypt.service

Afterwards, my system boots without timeout and all encrypted partitions are 

Security is not a product and not a process. Security is an emotion.

Reply via email to