Public bug reported: Steps to reproduce:
While installing Ubuntu (see versions below) into a LUKS1 container, I choose "Something else" for installation type and select installation- specific LVM volume for rootfs. During installation, before Grub gets installed at end, I inject support for encrypted /boot into the target rootfs by running: echo "sda2pv UUID=$(cryptsetup luksUUID /dev/sda2) none luks" >> /target/etc/crypttab echo 'GRUB_ENABLE_CRYPTODISK=y' >> /target/etc/default/grub Once installation is over, I reboot into the newly installed Ubuntu. To avoid typing passphrase twice, I attempt to add a keyfile exactly as instructed: # Add keyfile. mkdir -p -m go=,u=rwx /etc/luks ( umask go=,u+rx && dd if=/dev/urandom of=/etc/luks/sda2.key bs=1 count=64 ) cryptsetup luksAddKey /dev/sda2 /etc/luks/sda2.key # Deploy keyfile. echo 'KEYFILE_PATTERN="/etc/luks/*.key"' >> /etc/initramfs-tools/conf-hook echo 'UMASK=0077' >> /etc/initramfs-tools/initramfs.conf sed "s|^\(sda2pv .*\) none \(.*\)$|\1 /etc/luks/sda2.key \2|" /etc/crypttab update-initramfs -u -k all Expected behaviour: Loading the keyfile succeeds and Initramfs does not ask for passphrase any more (only Grub does). Actual behaviour: No matter how carefully I follow Cryptsetup documentation, every time I add refence to my keyfile into /etc/crypttab, update-initramfs tells me: cryptsetup: WARNING: Skipping root target sda2pv: uses a key file and does not load my keyfile into Initramfs, despite the matching KEYFILE_PATTERN setting. I experience the problem both in Ubuntu 19.10 and Ubuntu 20.04 LTS (which have cryptsetup version 2.2.0 and 2.2.2, respectively). See attachment file encrypted-multi-buntu.txt for full yet brief account of my setup and motivations. I have repeated the procedure over and over again, o with one single Ubuntu and two, o with Secure Boot disabled and not, o with resume from hibernation disabled and not, o with /boot and swap in rootfs volume and in separate volumes, o and more, but have not found a solution. My main sources: o documents in /usr/share/doc/cryptsetup-initramfs/ o https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html o https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019 I have come to the conclusion that cryptsetup does not behave as documented. Either the behaviour or the documentation has to be corrected. Which is it? ** Affects: cryptsetup (Ubuntu) Importance: Undecided Status: New ** Tags: crypttab initramfs ** Attachment added: "full yet brief description of my setup" https://bugs.launchpad.net/bugs/1879146/+attachment/5372873/+files/encrypted-multi-buntu.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1879146 Title: Cryptsetup ignoring KEYFILE_PATTERN To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1879146/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
