Skip to content

systemd-cryptsetup-generator no longer working #75540

New issue
New issue
Closed
Closed
systemd-cryptsetup-generator no longer working#75540
Labels
0.kind: bugSomething is broken6.topic: nixosIssues or PRs affecting NixOS modules, or package usability issues specific to NixOS
@aarowill

Description

@aarowill
aarowill
opened on Dec 12, 2019

Describe the bug
Since the update (19.09) that moved generators from systemd.generator-packages to systemd.packages, the systemd-cryptsetup-generator no longer properly decrypts drives as specified in /etc/crypttab upon boot. Specifically, when running a ZFS setup with encrypted drives (only data drives, root/boot drive is not encrypted) the boot freezes when trying to mount my data drive ZFS pool due to the drives being unavailable. I've confirmed by checking the boot logs that prior to this update, there are systemd-cryptsetup logs durning boot but after the update there are no such logs before the system fails to boot.

To Reproduce
Steps to reproduce the behavior:

  1. Have a drive (LUKS encrypted) specified in /etc/crypttab, for example: 
    dev-mapper-name	/dev/disk/by-id/drive-id-123	/path/to/key
  2. Configure NixOS to use systemd-cryptsetup-generator as per the new systemd.packages option: 
    systemd.packages = [ pkgs.systemd-cryptsetup-generator ];
  3. Reconfigure the system with nixos-rebuild switch
  4. Reboot and observe that the drives do not get decrypted or mounted to /dev/mapper/dev-mapper-name

Expected behavior
When using systemd.packages = [ pkgs.systemd-cryptsetup-generator ];, crypttab should be read and the specified drives should be decrypted and available on /dev/mapper.

Additional context
Example successful boot log excerpt from before update (missing in 19.09):

Dec 11 17:20:46 hostname systemd[1]: Starting Cryptography Setup for drive-1...
Dec 11 17:20:46 hostname systemd-cryptsetup[1261]: Key file /path/to/key is world-readable. This is not a good idea!
Dec 11 17:20:46 hostname systemd-cryptsetup[1261]: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/disk/by-id/drive-id-123.

In my failed 19.09 boots, there is mention of dm_crypt in the kernel boot logs but no mention of cryptsetup whatsoever. It may also be worth mentioning I am generating my crypttab file using environment.etc.crypttab.text, I am using the dm_crypt kernel module, and this setup worked fine in 19.03.

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 4.19.75, NixOS, 19.09.1549.45ea6092203 (Loris)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3`
 - channels(root): `"nixos-19.09.1549.45ea6092203"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute: systemd-cryptsetup-generator, systemd, cryptsetup
# a list of nixos modules affected by the problem
module: systemd

Metadata

Metadata

Assignees

No one assigned

    Labels

    0.kind: bugSomething is broken6.topic: nixosIssues or PRs affecting NixOS modules, or package usability issues specific to NixOS

    Projects

    systemd

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions