#1034695 cryptsetup: If decrypt_keyctl fails, pass password to cryptsetup anyway

Package:
cryptsetup
Source:
cryptsetup
Description:
disk encryption support - startup scripts
Submitter:
Chase Covello
Date:
2023-04-21 20:51:03 UTC
Severity:
normal
Tags:
#1034695#5
Date:
2023-04-21 20:47:29 UTC
From:
To:
After installing cryptsetup-suspend, the decrypt_keyctl script fails with a keyctl_set_timeout error. May be related to https://bugs.debian.org/939357.

Currently, decrypt_keyctl just terminates with an error message, which leaves me unable to unlock the root disk on resume. I've modified the script to print the passphrase to stdout as a fallback:
--- /lib/cryptsetup/scripts/decrypt_keyctl	2023-04-20 14:46:08.000000000 -0700
+++ src/decrypt_keyctl	2023-04-21 13:18:58.121017360 -0700
@@ -16,6 +16,7 @@
 die()
 {
     echo "$@" >&2
+    printf "%s" "$KEY_"
     exit 1
 }


I'm not sure if there are any particular security implications of doing this, but on errors decrypt_keyctl is essentially just passing through the result of /lib/cryptsetup/askpass.

Best regards,
Chase Covello