On 11/3/19 4:33 AM, Hualing Yu wrote:
Hi Milan
We have problem now 8-)
I did 'cryptsetup format' at initramfs, where I also 'add token' to luks
passphrase slot 0.
It seems to work as expected in later luksOpen (without asking me
passphrase) when still in initramfs. Even next run after power cycle
reboot. However after it runs to normal rootfs, then when I try to do
luksOpen still as root user, it ask for passphrase.
I can see my passphrases are both in @u and @us keyring both at
initramfs time and when run as root in normal linux. However, in
initramfs, my passphrasses are also in @s, which probably is why in
initramfs time, I can auto activate (open) my luks partitions.
Cryptsetup man page says:
token <add|remove> <device>
Adds a new keyring token to enable auto-activation of the
device. For the auto-
activation, the passphrase must be stored in
keyring with the specified
description. Usually, the passphrase should be stored
in user or user-session
keyring. The token command is supported only for LUKS2.
My passphrases are in both user and user-session keyrings, maybe I just
ran into some unusual case where passphrases also need to be in session
keyring. Do you know what’s the reason?
Maybe the key is unreachable from your current session after switching
out from initramfs. Can you read the key payload with "keyctl read
<your_key>" command?
Regards O.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
