Thanks Guilhem, those links are very helpful but I have not solved it yet. Another change in the new cryptsetup is LUKS2 and use of the kernel keyring, so when run from a booted system dmcrypt_derived just returns a message that the source crypt device uses the keyring - I don't know how to obtain the actual key to use it in the creation of the second crypt device (or maybe it is impossible).

On Wed, 22 May 2019 at 18:16, Guilhem Moulin <guilhem@fripost.org> wrote:

Hi Dominic,

On Wed, 22 May 2019 at 13:53:07 +0100, Dominic Raferd wrote:
> Thanks Arno, I think it is Debian really (rather than Ubuntu), but I
> couldn't see where to ask except here. Will dig some more.

For Debian you could file a bug against the ‘cryptsetup-initramfs’
package, see https://tracker.debian.org/pkg/cryptsetup and
https://www.debian.org/Bugs/ .

(‘Severity: wishlist’ I guess; at least your custom patch not applying
anymore isn't hinting at a regression.)

Also FWIW we (Debian packaging team) have native support for unlocking
multiple devices at early boot stage with a single passphrase prompt,
see /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz and
/usr/share/doc/cryptsetup-run/README.* . If that doesn't cover your
workflow then please visit the above links and file a wishlist bug :-)

Cheers,
--
Guilhem.