On Wed, 29 May 2019 at 12:07, Ondrej Kozina <okozina@redhat.com> wrote:

> On 5/29/19 11:56 AM, Dominic Raferd wrote:
> > Thanks Guilhem, those links are very helpful but I have not solved it
> > yet. Another change in the new cryptsetup is LUKS2 and use of the kernel
> > keyring, so when run from a booted system dmcrypt_derived just returns a
> > message that the source crypt device uses the keyring - I don't know how
> > to obtain the actual key to use it in the creation of the second crypt
> > device (or maybe it is impossible
>
> Not sure why you need to reuse volume key put in dm-crypt exactly but if
> you rely on the classical method, you may use --disable-keyring
> parameter of cryptsetup. With this parameter cryptsetup uploads the key
> in hexbyte representation as with LUKS1 format.
>

Thanks but I am using the standard Debian recipe (via Ubuntu alternate
installer which uses anaconda) for drive encryption (LUKS + dm-crypt, with
LVM on top) and this does not give any chance (AFAIK) to specify a special
parameter for cryptsetup. Previously it used LUKS1 without keyring but now
it uses LUKS2 with keyring. I want to keep the initial setup process as
simple as possible (documented at https://www.timedicer.co.uk).

The idea of reusing key from first crypt device when creating second crypt
device is that once the first crypt device is decrypted in initramfs (by
user entering password) then the second one can be decrypted using the key
from the first. (Both devices must be decrypted in initramfs because root
LV is based on a VG which spans *both* devices - a scenario that might
arise if the first device runs out of space.) This way there is no need to
enter password twice or to cache it.