I am trying to set up an encrypted btrfs system on a Debian Jessie system but I am running into a lot of issues, and now I need some help debugging the basics. It seems like I'm running in to a new bug for everything I do.
To get to the bottom of this I set up a virtual Debian Jessie with two drives, the first with an unencrypted OS, and the second with one partition and and empty luks device: root@jessie:~# cryptsetup luksFormat /dev/sdb1 root@jessie:~# cryptsetup luksOpen /dev/sdb1 crypt root@jessie:~# dd if=/dev/zero of=/dev/mapper/crypt root@jessie:~# cryptsetup luksClose crypt Then I add this to /etc/crypttab: ---- /etc/crypttab --- # <target name> <source device> <key file> <options> crypt /dev/sdb1 none luks,noauto ---- /etc/crypttab --- I ask systemd to generate the relevant unit files for this: root@jessie:~# systemctl daemon-reload ..which gives me some files in /var/run/systemd/generator root@jessie:~# tree --charset=ascii /var/run/systemd/generator |-- dev-mapper-crypt.device.requires | `-- systemd-cryptsetup@crypt.service -> ../systemd-cryptsetup@crypt.service `-- systemd-cryptsetup@crypt.service ---- /var/run/systemd/generator/systemd-cryptsetup@crypt.service ---- # Automatically generated by systemd-cryptsetup-generator [Unit] Description=Cryptography Setup for %I Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8) SourcePath=/etc/crypttab DefaultDependencies=no Conflicts=umount.target BindsTo=dev-mapper-%i.device IgnoreOnIsolate=true After=systemd-readahead-collect.service systemd-readahead-replay.service cryptsetup-pre.target Before=cryptsetup.target BindsTo=dev-sdb1.device After=dev-sdb1.device Before=umount.target [Service] Type=oneshot RemainAfterExit=yes TimeoutSec=0 ExecStart=/lib/systemd/systemd-cryptsetup attach 'crypt' '/dev/sdb1' 'none' 'luks,noauto' ExecStop=/lib/systemd/systemd-cryptsetup detach 'crypt' ---- /var/run/systemd/generator/systemd-cryptsetup@crypt.service ---- After this I try starting the new device: root@jessie:~# systemctl start dev-mapper-crypt.device Please enter passphrase for disk VBOX_HARDDISK (crypt)! **** ... here it stalls for what is likely 90 seconds ... Job for dev-mapper-crypt.device timed out. root@jessie:~# Ok. It kinda failed but not really. The device has been unlocked and exists in /dev/mapper/ as expected. Looking at the journal gives me the following relevant lines: Dec 10 14:18:33 jessie systemctl[4064]: Failed to stop systemd-ask-password-plymouth.path: Unit systemd-ask-password-plymouth.path not loaded. Dec 10 14:18:33 jessie systemctl[4064]: Failed to stop systemd-ask-password-plymouth.service: Unit systemd-ask-password-plymouth.service not loaded. Dec 10 14:19:08 jessie systemd-cryptsetup[4062]: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/sdb1. Dec 10 14:20:03 jessie systemd[1]: Job dev-mapper-crypt.device/start timed out. Dec 10 14:20:03 jessie systemd[1]: Timed out waiting for device dev-mapper-crypt.device. Dec 10 14:20:03 jessie systemd[1]: systemd-ask-password-console.service stop-sigterm timed out. Killing. Dec 10 14:20:03 jessie systemd[1]: systemd-ask-password-console.service: main process exited, code=killed, status=9/KILL Dec 10 14:20:03 jessie systemd[1]: Unit systemd-ask-password-console.service entered failed state. Dec 10 14:20:03 jessie systemd[1]: systemd-ask-password-wall.service start-pre operation timed out. Terminating. Dec 10 14:20:03 jessie systemd[1]: Failed to start Forward Password Requests to Wall. Dec 10 14:20:03 jessie systemd[1]: Unit systemd-ask-password-wall.service entered failed state. Rebooting the machine and starting the device with "cryptdisks_start crypt" works, and does not give any immediate errors in the journal, but because it does not go through systemd I get in trouble later when I start adding filesystems that requires multiple encrypted devices, so I really want to get this very basic thing working first! My question is thus: How am I supposed to solve this the "systemd way"? I want to be able to start an encrypted block device using a normal systemd service/device so that I can later have systemd units depend on this.
