# How is my second luks volume getting decrypted, or is it?

I have two 1TB drives. Each one has a LUKS container on it. These get decrypted at boot, and are both used for a btrfs "RAID1" filesystem which I put pictures and stuff on.

Both of the disks have the same LUKS passphrase. When I boot the system, while still in text mode, systemd pauses to ask for the password to unlock one of the drives, and names which drive it is. This is all expected up till now, but it never asks for the second password. The system continues to boot after I enter the password. In fact, after boot, both devices show up as unlocked and part of the btrfs.

[   43.105591] BTRFS: device label reedhome-btrfs1 devid 2 transid 27042 /dev/dm-0
[   43.117389] BTRFS: device label reedhome-btrfs1 devid 1 transid 27042 /dev/dm-1
[   43.141169] audit_printk_skb: 21 callbacks suppressed
[   43.141171] audit: type=1130 audit(1473560583.149:73): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@WD1003FBYX\x2d01Y7B1\x2dWD\x2dWMAW31304295 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   43.172664] audit: type=1130 audit(1473560583.180:74): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@WD10EARS\x2d003BB1\x2dWD\x2dWCAV5L434482 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   43.181249] BTRFS info (device dm-1): disk space caching is enabled


This section of dmesg shows that both are being unlocked. Where should I look first, dig thru systemd?

edit retag close merge delete

Sort by » oldest newest most voted

One indirect answer is in the first two lines you posted. The transid's for the two Btrfs devices are the same, which they wouldn't be if their underlying luks volumes weren't both unlocked. Btrfs does not mount degraded by default either, so it'd fail to mount. You'd definitely know about it.

Slightly more direct but I can't point to any documentation, plymouth is what's asking for the passphrase is my understanding, and it passes the first passphrase you enter to all LUKS devices and only asks per device for devices that fail to open with that passphrase. Ergo if you enter it wrong, now you have to enter the passphrase in twice more (total three times: 1 failed, 2 for devid1, 3 for devid2) correctly to get it to unlock and mount.

more

Check how LUKS password woks. Maybe there are some cache and that's why you need to type (same) password only once.

decrypt_keyctl

# decrypt_keyctl

A passphrase caching script to be used in /etc/crypttab on Debian and Ubuntu. When there are multiple cryptsetup (either plain or LUKS) volumes with the same passphrase, it is an unnecessary task to input the passphrase more than once.

Just add this script as keyscript to your /etc/crypttab and it will cache the passphrase of all cryptab entries with the same identifier.

Either copy decrypt_keyctl into the default search path for keyscripts from cryptsetup /lib/cryptdisks/scripts/. So you can just write keyscript=decrypt_keyctl in /etc/crypttab, or use a random path of your choice and give the full path e.g keyscript=/sbin/decrypt_keyctl.

more

## Stats

Asked: 2016-09-12 23:12:40 -0500

Seen: 479 times

Last updated: Sep 15 '16