Just setting keyscript=/lib/cryptsetup/askpass makes /usr/share/initramfs-tools/scripts/local-top/cryptroot run askpass with an empty string as its sole command-line argument, so askpass doesn't display a prompt before reading the password. This makes it look like the boot process has hung, even though it's actually sitting there waiting for the password.
You can also add a key= option to crypttab, which controls the argument that the .../local-top/cryptroot script passes to the keyscript, but because of how the options string in crypttab is parsed, there can't be any spaces or commas in the string.
That's very close to the workaround I ended up using on my Trusty VMs:
# grep root /etc/crypttab local.askpass
crypt-root /dev/xvdc none luks,keyscript=
# cat /lib/cryptsetup /scripts/ local.askpass /askpass "$(printf '\nEnter passphrase for %s (%s): ' "$CRYPTTAB_SOURCE" "$CRYPTTAB_NAME")"
#!/bin/sh
exec /lib/cryptsetup
Just setting keyscript= /lib/cryptsetup /askpass makes /usr/share/ initramfs- tools/scripts/ local-top/ cryptroot run askpass with an empty string as its sole command-line argument, so askpass doesn't display a prompt before reading the password. This makes it look like the boot process has hung, even though it's actually sitting there waiting for the password.
You can also add a key= option to crypttab, which controls the argument that the .../local- top/cryptroot script passes to the keyscript, but because of how the options string in crypttab is parsed, there can't be any spaces or commas in the string.