Dracut skips adding keys in the initramfs for luks encrypted volumes containing the swap partition, if the identifier in the device mapping line in /etc/crypttab file, matches with the identifier the volume is curently mapped to and mounted/enabled as swap.
I have /dev/sda2 - LUKS encrypted swap partition and /dev/sda3 - LUKS encrypted root/system partition. I want them to be opened by initramfs, with a keyfile already added to the respective LUKS key slots. The relevant lines with the options and the path to the respective keyfiles are added, both in /etc/dracut.conf.d/10-fde-lean.conf, and in /etc/crypttab as shown in the example below.
/etc/crypttab:
system UUID=eb5ecac5-5e07-4d82-ac7a-86ec34099f26 /keys/luks-system.key luks
swap UUID=bd6056f3-d96d-40e4-9b97-35ccb87b3945 /keys/luks-swap.key luks
lsblk: - i have mapped luks ecnrypted swap to 'cryptswap' to avoid facing the issue.
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 1G 0 part /boot/efi
├─sda2 8:2 0 15G 0 part
│ └─swap 254:0 0 15G 0 crypt [SWAP]
└─sda3 8:3 0 449.8G 0 part
└─system 254:1 0 449.8G 0 crypt /.snapshots
/var/tmp
/var/log
/var/cache
/opt
/home
/
Distribution used
voidlinux
Dracut version
dracut 059
Init system
runit 2.1.2_15
To Reproduce
Add $identifier UUID=$UUID /path/keyfile.key luks to /etc/crypttab, where the $identifier used for mapping the luks volume can be anything, eg; swap or randomname and the $UUID is the uuid of the luks volume containing the swap partition.
Generate the initramfs eith dracut --force --hostonly --kver ##### or kernal upgrade/downgrade hooks of your distribution.
Reboot, and run dracut --force --hostonly --kver ##### again or let the kernal upgrade/downgrade and use the hooks of your distribution.
Alternate way to reproduce:
Add $identifier UUID=$UUID /path/keyfile.key luks to /etc/crypttab, where the $identifier used for mapping the luks volume can be anything, eg; swap or randomname and the $UUID is the uuid of the luks volume containing the swap partition.
swapoff the swap partition, if already enabled and luksClose the volume if it is already opened/unlocked. Reopen using the same $identifier used in the /etc/crypttab file for the luks volume, the swapon /dev/mapper/$identifier.
Generate the initramfs with dracut --force --hostonly --kver ##### or kernal upgrade/downgrade hooks of your distribution.
Expected behavior
Dracut should not skip luks volume containing swap partitions. In a Full Disk Encryption setup, one of the ways to have an encrypted swap without the use of LVM is to have a seperate LUKS encrypted swap partition. I have a similar setup, where I have a seperate luks encrypted swap partition and i want initramfs to unlock all the luks encrypted partitions, including the ones with swap.
Additional context
Removing the following line from `/bin/dracut' solves the issue.
[[ "$_p" == /* ]] && [[ -f $_p ]] && continue 2
This was added through an old commit, found through the comment for a related but different issue 2128.
Describe the bug
Dracut skips adding keys in the initramfs for luks encrypted volumes containing the swap partition, if the identifier in the device mapping line in
/etc/crypttab
file, matches with the identifier the volume is curently mapped to and mounted/enabled as swap.I have
/dev/sda2
- LUKS encrypted swap partition and/dev/sda3
- LUKS encrypted root/system partition. I want them to be opened by initramfs, with a keyfile already added to the respective LUKS key slots. The relevant lines with the options and the path to the respective keyfiles are added, both in/etc/dracut.conf.d/10-fde-lean.conf
, and in/etc/crypttab
as shown in the example below./etc/crypttab:
/etc/dracut.conf.d/10-fde-lean.conf:
/etc/default/grub:
blkid:
lsblk: - i have mapped luks ecnrypted swap to 'cryptswap' to avoid facing the issue.
Distribution used
voidlinux
Dracut version
dracut 059
Init system
runit 2.1.2_15
To Reproduce
Add
$identifier UUID=$UUID /path/keyfile.key luks
to/etc/crypttab
, where the$identifier
used for mapping the luks volume can be anything, eg;swap
orrandomname
and the$UUID
is the uuid of the luks volume containing the swap partition.Generate the initramfs eith
dracut --force --hostonly --kver #####
or kernal upgrade/downgrade hooks of your distribution.Reboot, and run
dracut --force --hostonly --kver #####
again or let the kernal upgrade/downgrade and use the hooks of your distribution.Alternate way to reproduce:
Add
$identifier UUID=$UUID /path/keyfile.key luks
to/etc/crypttab
, where the$identifier
used for mapping the luks volume can be anything, eg;swap
orrandomname
and the $UUID is the uuid of the luks volume containing the swap partition.swapoff
the swap partition, if already enabled and luksClose the volume if it is already opened/unlocked. Reopen using the same$identifier
used in the/etc/crypttab
file for the luks volume, the swapon/dev/mapper/$identifier
.Generate the initramfs with
dracut --force --hostonly --kver #####
or kernal upgrade/downgrade hooks of your distribution.Expected behavior
Dracut should not skip luks volume containing swap partitions. In a Full Disk Encryption setup, one of the ways to have an encrypted swap without the use of LVM is to have a seperate LUKS encrypted swap partition. I have a similar setup, where I have a seperate luks encrypted swap partition and i want initramfs to unlock all the luks encrypted partitions, including the ones with swap.
Additional context
Removing the following line from `/bin/dracut' solves the issue.
This was added through an old commit, found through the comment for a related but different issue 2128.
Please let me know if more information is needed.