Bug#1037973: Patch to fix cryptsetup: option 'tcrypt-system' in crypttab is unknown

[Paul Richards]

Hello,

I have the same problem, with a Windows 11 C:\ drive encrypted as a
veracrypt system drive and trixie gives me the same error and cannot
successfully mount the partition automatically on boot.

Attached is a patch to fix the bug reported in #1037979.

The file that has the problem is:
/usr/lib/cryptsetup/functions
(in the cryptsetup package.)

After applying this patch, running update-initramfs, then rebooting I
am able to automatically mount the veracrypt system drive. It is still
able to mount other normal non-system veracrypt partitions as long as
you don't use the 'tcrypt-system' flag on those partitions in
/etc/crypttab. The 'tcrypt-system' flag for veracrypt system
partitions will need to come on the same line after the tcrypt flag to
work properly.

In my /etc/crypttab file the line is similar to:

unencrypted_c_drive
/dev/disk/by-partuuid/<c-drive-veracrypt-partition-uuid>
tcrypt,tcrypt-veracrypt,tcrypt-system

That same crypttab line entry also works fine for me on RHEL 10.

Hope that helps!

Paul Franklin Richards

--- functions.old.bug.1037973	2025-05-04 15:55:13.000000000 -0400
+++ functions	2026-01-24 19:49:02.731144980 -0500
@@ -83,6 +83,7 @@
              CRYPTTAB_OPTION_keyslot \
              CRYPTTAB_OPTION_header \
              CRYPTTAB_OPTION_tcrypthidden \
+             CRYPTTAB_OPTION_tcryptsystem \
              CRYPTTAB_OPTION_same_cpu_crypt \
              CRYPTTAB_OPTION_submit_from_crypt_cpus \
              CRYPTTAB_OPTION_no_read_workqueue \
@@ -150,6 +151,7 @@
         key-slot) OPTION="keyslot";;
         tcrypt-hidden) OPTION="tcrypthidden";;
         tcrypt-veracrypt) OPTION="veracrypt";;
+        tcrypt-system) OPTION="tcryptsystem";;
     esac
 
     # sanitize the option name so CRYPTTAB_OPTION_$OPTION is a valid variable name
@@ -241,6 +243,7 @@
         tcrypt) ;;
         veracrypt) ;;
         tcrypthidden) ;;
+        tcryptsystem) ;;
         bitlk) ;;
         fvault2) ;;
         same-cpu-crypt) ;;
@@ -357,7 +360,7 @@
         unset -v CRYPTTAB_OPTION_keyfile_offset
     else
         # ignored for non-TCRYPT devices
-        unset -v CRYPTTAB_OPTION_veracrypt CRYPTTAB_OPTION_tcrypthidden
+        unset -v CRYPTTAB_OPTION_veracrypt CRYPTTAB_OPTION_tcrypthidden CRYPTTAB_OPTION_tcryptsystem
     fi
 
     if [ "$CRYPTTAB_TYPE" != "luks" ]; then
@@ -379,6 +382,7 @@
         ${CRYPTTAB_OPTION_veracrypt:+--veracrypt} \
         ${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \
         ${CRYPTTAB_OPTION_tcrypthidden:+--tcrypt-hidden} \
+        ${CRYPTTAB_OPTION_tcryptsystem:+--tcrypt-system} \
         ${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \
         ${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \
         ${CRYPTTAB_OPTION_same_cpu_crypt:+--perf-same_cpu_crypt} \