The proper way to unlock a root filesystem spanning two LUKS devices by only entering the password once, using systemd

btrfsluksroot-filesystemsystemd

I have been having a lot of issues getting an encrypted multi-disk root filesystem to boot up reliably under systemd on Debian Jessie while only having to enter the password once. Previously I've handled this in Debian by using the decrypt_derived keyscript in /etc/crypttab for every device except the first, and this worked well.

However, this does not play well when systemd is introduced. systemd-cryptsetup-generator does not handle keyscripts, and when trying to find more information about how to solve this, I only found vague references to some custom password agent in an email from one of the systemd developers which only gives the unhelpful advice that it is "easy to write additional agents. The basic algorithm to follow looks like this" and then a list of 13 steps to take. Clearly not meant for an end user.

I Debian, I have got it to work to some degree by playing with a couple of kernel options that tells systemd to ignore /etc/crypttab during boot, or ignore it completely. Debian's update-initramfs will copy the keyscript to the initramfs and unlock the devices before systemd takes over, but I have found that it leads to issues later because systemd now does not have any unit files for the decrypted devices so mounts that rely on them sometimes seem to hang or get delayed. One place where this breaks is when trying to mount btrfs subvolumes; they are mounted from the same physical device as root, but systemd is not aware that the devices are already unlocked, and halts at boot.

TL;DR – my actual question:

What is the systemd way to handle an encrypted root filesystem spanning multiple devices (be it a btrfs system, LVM mirror, etc) where you only need to enter the password once? I hardly consider this to be an exceptionally unusual case, so here's hoping that there is a method in place to do this.

Some possible solutions comes to mind:

  • Tiny encrypted partition containing a keyfile, which is unlocked before root. The root devices would refer to this keyfile. How would I tell this to systemd?
  • Some sort of caching password agent running in initramfs, which remembers the password and hands it to all devices needing it at boot.
  • Someone has already written a systemd agent emulating decrypt_derived. How would I integrate this in my boot procedure?

I do run Debian exclusively, but after having tried for days to find a solution to my problem I feel that this is perhaps a more system wide problem.

Best Answer

There is now a solution to this problem (at least in Ubuntu 18.04+, so I assume Debian, and CentOS-7). Described here. Quoting:

Systemd ... will unlock all additional LUKS partitions if

  1. all of the partitions you want to unlock use the same password
  2. you enter the password for the root partition correctly the first time. If you get it wrong, you'll need to enter it again for every other LUKS partition
Related Question