The root-cause is /usr/share/initramfs-tools/hooks/cryptroot (debian/initramfs/cryptroot-hook in the source package).
The script is called when update-initramfs is executed. It is responsible for correlating /etc/fstab entries with those in /etc/crypttab and then configuring the cryptsetup related parts of the initrd image - such as writing the keyfile name and installing any custom keyscript.
/etc/fstab is searched for the / (root) entry. The add_device() function then tries to canonicalise the name in canonical_device(). Although the function correctly canonicalises LABEL= and UUID= it *does not* return a success result. The only name format that will do that is a name prefixed "/dev/mapper/"
When that fails there is no processing of the crypttab entry and therefore nothing is done to the initrd image.
The solution is two-stage:
1. Add additional returns to the function when LABEL or UUID match
2. In /etc/crypttab, as the target name use the LABEL or UUID itself
The result is that add_device can then correlate the UUID of the unlocked file-system in fstab with the containing device's LABEL or UUID in crypttab. My only concern right now is whether the dereferencing of symbolic links that comes after those checks ought now to be moved to the head of the function.
Here's an example:
== /etc/fstab: ==
# / was on /dev/mapper/root during installation
UUID=c5321f6e-05c0-43a7-8757-03aa29c44b04 / ext4 relatime,errors=remount-ro 0 1
Confirmed and still affecting Jaunty.
The root-cause is /usr/share/ initramfs- tools/hooks/ cryptroot (debian/ initramfs/ cryptroot- hook in the source package).
The script is called when update-initramfs is executed. It is responsible for correlating /etc/fstab entries with those in /etc/crypttab and then configuring the cryptsetup related parts of the initrd image - such as writing the keyfile name and installing any custom keyscript.
/etc/fstab is searched for the / (root) entry. The add_device() function then tries to canonicalise the name in canonical_device(). Although the function correctly canonicalises LABEL= and UUID= it *does not* return a success result. The only name format that will do that is a name prefixed "/dev/mapper/"
When that fails there is no processing of the crypttab entry and therefore nothing is done to the initrd image.
The solution is two-stage:
1. Add additional returns to the function when LABEL or UUID match
2. In /etc/crypttab, as the target name use the LABEL or UUID itself
The result is that add_device can then correlate the UUID of the unlocked file-system in fstab with the containing device's LABEL or UUID in crypttab. My only concern right now is whether the dereferencing of symbolic links that comes after those checks ought now to be moved to the head of the function.
Here's an example:
== /etc/fstab: == 05c0-43a7- 8757-03aa29c44b 04 / ext4 relatime, errors= remount- ro 0 1
# / was on /dev/mapper/root during installation
UUID=c5321f6e-
== /etc/crypttab: == 05c0-43a7- 8757-03aa29c44b 04 /dev/disk/ by-uuid/ ae87e7a1- b65b-4586- 9e0a-bfc6d60ceb c9 /home/tj/ Media/theme- song.mp3 luks,keyscript= /usr/local/ sbin/crypto- usb-key. sh
c5321f6e-
The patch required is:
diff -Nu a/usr/share/ initramfs- tools/hooks/ cryptroot b/usr/share/ initramfs- tools/hooks/ cryptroot initramfs- tools/hooks/ cryptroot 2009-02-08 02:09:53.571999044 +0000 initramfs- tools/hooks/ cryptroot 2009-02-08 03:55:47.801000016 +0000
--- a/usr/share/
+++ b/usr/share/
@@ -285,12 +285,14 @@
altdev= "${dev# LABEL=} " disk/by- label/$ altdev"
if [ "$altdev" != "$dev" ]; then
- dev="/dev/
+ echo "$altdev"
+ return 0
fi
altdev= "${dev# UUID=}" disk/by- uuid/$altdev"
if [ "$altdev" != "$dev" ]; then
- dev="/dev/
+ echo "$altdev"
+ return 0
fi
if [ -h "$dev" ]; then