Ubuntu
cryptsetup package

Bug #1022815
Comment #7

Comment 7 for bug 1022815

Revision history for this message

Roger Binns (ubuntu-rogerbinns) wrote on 2012-08-19:

I got everything working. The README you pointed to is very misleading since the script is already in the correct place. I'd be inclined to just delete the README, and mention all the different scripts in /lib/cryptsetup/scripts in the main crypttab page.

decrypt_keyctl doesn't seem like 'none' as the third column in crypttab (either that or the ordering confuses it). I changed the ordering so swap was last, and the third column from 'none' to avoid multiple prompts.

In cryptdisk.functions there is a section that tries to work out what program to use for prompting (look for plymouth). In decrypt_keyctl there is a similar section at the top trying to do the same thing, but it doesn't look for plymouth. I made two changes:

1) Added code to make plymouth be probed and used. At the top section as the last entry:

test -x /bin/plymouth && plymouth --ping && PW_READER_='plymouth'

In the case $PW_READER_ section:

    plymouth)
            KEY_=$(plymouth ask-for-password --prompt "$PROMPT_") || die "Error executing plymouth"
            ;;

That makes things work perfectly when plymouth is present.

2) In recovery mode things were unusable. That was because it was using askpass. I commented out the line beginning test -x "$ASKPASS_" which means that in a non-plymouth environment the stty mode is being used. The stty mode worked just fine in recovery mode.

In any event as things currently are shipped on Ubuntu you will have an unbootable system if you follow the README instructions. Either decrypt_keyctl should be removed, or fixed.

The documentation should at least mention the script, and also mention that keyutils must be installed. It should also mention having to run update-initramfs on changing /etc/crypttab

askpass is broken. It should really be fixed to be able to do plymouth if it is running, or the various things (eg stty method that the decrypt_keyctl is doing).

Then everything can just use askpass. Failing that the logic for picking a password prompt program should be unified into one place. For example it could be put into a function in cryptdisk.functions and that sourced/used by decrypt_keyctl.

I got everything working.  The README you pointed to is very misleading since the script is already in the correct place.  I'd be inclined to just delete the README, and mention all the different scripts in /lib/cryptsetup/scripts in the main crypttab page.

decrypt_keyctl doesn't seem like 'none' as the third column in crypttab (either that or the ordering confuses it).  I changed the ordering so swap was last, and the third column from 'none' to avoid multiple prompts.

In cryptdisk.functions there is a section that tries to work out what program to use for prompting (look for plymouth).  In decrypt_keyctl there is a similar section at the top trying to do the same thing, but it doesn't look for plymouth.  I made two changes:

1) Added code to make plymouth be probed and used.  At the top section as the last entry:

test -x /bin/plymouth && plymouth --ping && PW_READER_='plymouth'

In the case $PW_READER_ section:

plymouth)
            KEY_=$(plymouth ask-for-password --prompt "$PROMPT_") || die "Error executing plymouth"
            ;;

That makes things work perfectly when plymouth is present.

2) In recovery mode things were unusable.  That was because it was using askpass.  I commented out the line beginning test -x "$ASKPASS_" which means that in a non-plymouth environment the stty mode is being used.  The stty mode worked just fine in recovery mode.

In any event as things currently are shipped on Ubuntu you will have an unbootable system if you follow the README instructions.  Either decrypt_keyctl should be removed, or fixed.

The documentation should at least mention the script, and also mention that keyutils must be installed.  It should also mention having to run update-initramfs on changing /etc/crypttab

askpass is broken.  It should really be fixed to be able to do plymouth if it is running, or the various things (eg stty method that the decrypt_keyctl is doing).

Then everything can just use askpass.  Failing that the logic for picking a password prompt program should be unified into one place.  For example it could be put into a function in cryptdisk.functions and that sourced/used by decrypt_keyctl.

Ubuntucryptsetup package

Comment 7 for bug 1022815

Ubuntu
cryptsetup package