I apologize in advance for the formatting, this is my first time using a mailing list and I don't know how to format it well.
I can't get systemd-cryptsetup to accept the cryptsetup.pkcs11-pin credential. It doesn't seem to get used by systemd-cryptsetup, I still have to manually unlock it at boot time.
For testing, I've set a pin 4321, in /boot/efi/key.txt (this is the pin to unlock the pkcs11 device)
I'm using system-cryptsetup version 257.x that I built on another machine and copied over (with the libraries and updated ldconfig) I would update the entire systemd but I'm not sure how to do that (yet)
The base version of systemd on the system is 255.x.
Here is some output trying the cryptsetup.pkcs11-pin credential - when I do this... it still prompts for the pin.
davew@speed:~$ sudo systemctl status systemd-cryptsetup@os_crypt.service
● systemd-cryptsetup@os_crypt.service - Cryptography Setup for os_crypt
Loaded: loaded (/etc/crypttab; generated)
Drop-In: /etc/systemd/system/systemd-cryptsetup@os_crypt.service.d
└─override.conf
Active: active (exited) since Wed 2025-01-15 15:09:43 UTC; 17s ago
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Process: 521 ExecStartPre=/bin/bash -c echo "cryptsetup.pkcs11-pin=$(cat ${CREDENTIALS_DIRECTORY}/cryptsetup.pkcs11-pin)" (code=exited, status=0/SUCCESS)
Process: 550 ExecStart=/usr/bin/systemd-cryptsetup attach os_crypt /dev/disk/by-uuid/c7dad40e-973a-4381-9bcb-6c4477429f95 none luks,pkcs11-uri=auto (code=exited>
Main PID: 550 (code=exited, status=0/SUCCESS)
CPU: 193ms
Jan 15 15:09:37 speed systemd[1]: Starting systemd-cryptsetup@os_crypt.service - Cryptography Setup for os_crypt...
Jan 15 15:09:38 speed bash[521]: cryptsetup.pkcs11-pin=4321
Jan 15 15:09:43 speed systemd-cryptsetup[550]: Successfully logged into security token 'LUKS'.
Jan 15 15:09:43 speed systemd-cryptsetup[550]: Successfully decrypted key with security token.
Jan 15 15:09:43 speed systemd[1]: Finished systemd-cryptsetup@os_crypt.service - Cryptography Setup for os_crypt.
● systemd-cryptsetup@os_crypt.service - Cryptography Setup for os_crypt
Loaded: loaded (/etc/crypttab; generated)
Drop-In: /etc/systemd/system/systemd-cryptsetup@os_crypt.service.d
└─override.conf
Active: active (exited) since Wed 2025-01-15 15:09:43 UTC; 17s ago
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Process: 521 ExecStartPre=/bin/bash -c echo "cryptsetup.pkcs11-pin=$(cat ${CREDENTIALS_DIRECTORY}/cryptsetup.pkcs11-pin)" (code=exited, status=0/SUCCESS)
Process: 550 ExecStart=/usr/bin/systemd-cryptsetup attach os_crypt /dev/disk/by-uuid/c7dad40e-973a-4381-9bcb-6c4477429f95 none luks,pkcs11-uri=auto (code=exited>
Main PID: 550 (code=exited, status=0/SUCCESS)
CPU: 193ms
Jan 15 15:09:37 speed systemd[1]: Starting systemd-cryptsetup@os_crypt.service - Cryptography Setup for os_crypt...
Jan 15 15:09:38 speed bash[521]: cryptsetup.pkcs11-pin=4321
Jan 15 15:09:43 speed systemd-cryptsetup[550]: Successfully logged into security token 'LUKS'.
Jan 15 15:09:43 speed systemd-cryptsetup[550]: Successfully decrypted key with security token.
Jan 15 15:09:43 speed systemd[1]: Finished systemd-cryptsetup@os_crypt.service - Cryptography Setup for os_crypt.
davew@speed:~$ /usr/bin/systemd-cryptsetup --version
systemd 257 (257.2)
-PAM -AUDIT +SELINUX -APPARMOR +IMA +IPE +SMACK -SECCOMP -GCRYPT -GNUTLS +OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC -KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS -LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 -BZIP2 -LZ4 -XZ +ZLIB -ZSTD -BPF_FRAMEWORK -BTF -XKBCOMMON +UTMP +SYSVINIT -LIBARCHIVE
systemd 257 (257.2)
-PAM -AUDIT +SELINUX -APPARMOR +IMA +IPE +SMACK -SECCOMP -GCRYPT -GNUTLS +OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC -KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS -LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 -BZIP2 -LZ4 -XZ +ZLIB -ZSTD -BPF_FRAMEWORK -BTF -XKBCOMMON +UTMP +SYSVINIT -LIBARCHIVE
davew@speed:~$ systemd --version
systemd 255 (255.4-1ubuntu8.4)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
systemd 255 (255.4-1ubuntu8.4)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
davew@speed:~$ cat /etc/systemd/system/systemd-cryptsetup@os_crypt.service.d/override.conf
[Unit]
After=boot-efi.mount
[Service]
LoadCredential=cryptsetup.pkcs11-pin:/boot/efi/key.txt
ExecStartPre=/bin/bash -c 'echo "cryptsetup.pkcs11-pin=$(cat ${CREDENTIALS_DIRECTORY}/cryptsetup.pkcs11-pin)"'
[Unit]
After=boot-efi.mount
[Service]
LoadCredential=cryptsetup.pkcs11-pin:/boot/efi/key.txt
ExecStartPre=/bin/bash -c 'echo "cryptsetup.pkcs11-pin=$(cat ${CREDENTIALS_DIRECTORY}/cryptsetup.pkcs11-pin)"'
davew@speed:~$ sudo cat /boot/efi/key.txt
4321
4321
Below, I was able to get this to work by running it all manually in the override... but then I may as well get rid of the crypttab and just set up the service manually.
This is a contrived example, I will have a socket listening and responding to requests
davew@speed:~$ sudo cat /etc/systemd/system/systemd-cryptsetup@os_crypt.service.d/override.conf
[Unit]
After=boot-efi.mount
[Service]
LoadCredential=cryptsetup.pkcs11-pin:/boot/efi/key.txt
Environment=PINFILE=%d/cryptsetup.pkcs11-pin
ExecStartPre=/bin/bash -c 'echo "cryptsetup.pkcs11-pin=$(cat ${CREDENTIALS_DIRECTORY}/cryptsetup.pkcs11-pin)"'
ExecStartPre=/bin/bash -c 'echo "PINFILE HERE: $PINFILE"'
ExecStart=
ExecStart=/bin/bash -c "PIN=$(cat $PINFILE) /usr/bin/systemd-cryptsetup attach os_crypt /dev/disk/by-uuid/c7dad40e-973a-4381-9bcb-6c4477429f95 none luks,pkcs11-uri=auto"
[Unit]
After=boot-efi.mount
[Service]
LoadCredential=cryptsetup.pkcs11-pin:/boot/efi/key.txt
Environment=PINFILE=%d/cryptsetup.pkcs11-pin
ExecStartPre=/bin/bash -c 'echo "cryptsetup.pkcs11-pin=$(cat ${CREDENTIALS_DIRECTORY}/cryptsetup.pkcs11-pin)"'
ExecStartPre=/bin/bash -c 'echo "PINFILE HERE: $PINFILE"'
ExecStart=
ExecStart=/bin/bash -c "PIN=$(cat $PINFILE) /usr/bin/systemd-cryptsetup attach os_crypt /dev/disk/by-uuid/c7dad40e-973a-4381-9bcb-6c4477429f95 none luks,pkcs11-uri=auto"
Thanks,
David.
On Wed, Jan 15, 2025 at 12:37 PM Andrei Borzenkov <arvidjaar@xxxxxxxxx> wrote:
On Wed, Jan 15, 2025 at 2:31 PM David White <dr.white.nz@xxxxxxxxx> wrote:
>
> Hi there,
>
> Just want some help with setting credentials for systemd-cryptsetup@.service services.
>
> I have a crypttab file with the following:
>
> (I set a label for this volume with a udev rule as I have to use a label)
>
I am not sure I understand it. Label is a property of the filesystem;
how do you set it using "udev rule"?
> os_crypt LABEL=os_luks none try-empty-password=1,luks,pkcs11-uri=auto,discard
>
> I read in the systemd-cryptsetup documentation that I should be able to pass credential "cryptsetup.pkcs11-pin"
>
> I couldn't figure out from the documentation how to do this.
>
> I assume I create a drop-in for systemd-cryptsetup@os_crypt.service
>
> and add the credential there:
>
> LoadCredential=cryptsetup.pkcs11-pin:/path/to/unix/socket
>
> Would that work?
For this to work you need some process listening on the
/path/to/unix/socket and answering the request.
> If not, how would I go about passing a pkcs11 pin to cryptsetup.
>
You can simply drop your credentials into any standard directory like
/etc/credstore. systemd-cryptsetup@xxx.service already has
ImportCredentials=cryptsetup.*.
The catch is that systemd-cryptsetup only tries the single generic
credential name. There is no provision for different pins (via
credentials) for different devices. As long as you only have one
token, it is OK. But now I wonder if it could be a reason for failing
to use different tokens to unlock different volumes concurrently.
