Upgraded from cryptsetup-luks 1.0.3-r2 to 1.0.3-r3. /etc/conf.d/cryptfs has only one mapping, for an encrypted swap partition: swap=crypt-swap source='/dev/hda3' This has worked fine with 1.0.3.-r2 but now, with 1.0.3-r3 I get this when booting: ... * dm-crypt map crypt-swap * cryptsetup will be called with: -c aes -h sha1 -d /dev/urandom luksOpen /dev/hda3 crypt-swap Warning: exhausting read requested, but key file is not a regular file, function might never return And it never does. I have to hit CTRL-C, enter the root password and edit /etc/fstab and /etc/conf.d/cryptfs to disable all crypt-swap related settings to be able to boot the system. The cryptsetup man page states that passwords cannot be read from a non-terminating stream like /dev/random, I suppose this is what the problem is here? I suppose this qualifies as a bug since the same configuration worked fine with 1.0.3-r2 and now doesn't with 1.0.3-r3. I would also think it's a serious bug, since it stops the boot process? Or is further configuration necessary to get the swap mapping working again? emerge --info: Portage 2.1.2_pre3-r9 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.18-gentoo-r1 i686) ================================================================= System uname: 2.6.18-gentoo-r1 i686 Intel(R) Pentium(R) M processor 1700MHz Gentoo Base System version 1.12.5 Last Sync: Fri, 27 Oct 2006 00:00:09 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium-m -mtune=pentium-m -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=pentium-m -mtune=pentium-m -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo http://gentoo.inode.at ftp://gentoo.inode.at/source" LANG="en_IE.utf8" LC_ALL="en_IE.utf8" LINGUAS="en_GB en de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X aac alsa apache2 apm avahi bash-completion branding browserplugin cdr crypt cups dbus doc dri dvd dvdread elibc_glibc firefox flac gcj gif gphoto2 gtk gtk2 hal i8x0 imlib input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics ipod jpeg kde kernel_linux latex linguas_de linguas_en linguas_en_GB logrotate mad madwifi mmx mozilla mp3 ncurses nls nptl nptlonly nsplugin offensive opengl oss pcmcia pda pdf perl pic png ppds python qt3 readline samba scanner smartcard spell sse sse2 ssl svg tetex threads truetype truetype-fonts udev unicode usb userland_GNU userlocales video_cards_fbdev video_cards_radeon video_cards_vesa wifi win32codecs xcomposite xinerama xml xorg xosd xv xvid zeroconf" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Not a security bug.
I assume that /dev/hda3 correctly points to the right partition for your environment? If so then try manually executing: cryptsetup -c aes -h sha256 -d /dev/urandom create crypt-swap /dev/hda3 mkswap /dev/mapper/crypt-swap swapon /dev/mapper/crypt-swap If that executes correctly then try a reboot and let me know how it goes.
Thanks for the reply! Those commands executed successfully, however, upon rebooting the exact same error occured. Could it be that instead of `create' the init scripts call `luksOpen', as it is LUKS which cannot read the keyfile from a non-terminating stream directly?
I had the same problem, and took a look at: /lib/rcscripts/addons/dm-crypt-start.sh The script does luksOpen if `cryptsetup isLuks ${source}` succeeds. IMHO it should not check for a luks-header when opening swap. However, my problem was that I had a luks header at the start of the swap volume by accident after repartitioning. cryptsetup does an exhausting read with luksOpen, but not with create. Probably this is the same problem in your case, too. Overwrite the header with: dd if=/dev/zero of=/dev/swap count=666
Thanks Johannes, I did what you suggested, but while experimenting on how to solve or reproduce the bug I have recreated the swap partition numerous times (mkswap), with and without applying dm-crypt settings. Shouldn't this overwrite any previous partition header? Anyway, I upgraded to cryptsetup 1.0.4 and applied Johannes' suggested fix and after a reboot everything seems to work again. I suppose this bug should be marked as WORKSFORME of some such.
Sounds like there was just something incorrectly setup with your env.
Not to be flamebait or offensive or anything, but from my POV all I really did was (as described) an emerge -u cryptsetup-luks && etc-update, which effectively broke broke swap encryption. Apparently the fault has to be on my side since noone else (except Johannes) experienced this problem in this context. But what did I do wrong?
