Permission denied to cryptsetup key (user keyring) in initramfs

Hello,

I have LUKS-encrypted swap and encrypted ZFS using the same password. To avoid entering the same password twice during boot I thought of updating /usr/lib/dracut/modules.d/90zfs/zfs-load-key.sh to read the cryptsetup password from the keyring. I can get the key ID with

$(keyctl list @u | grep cryptsetup | cut -d ':' -f 1)

but when I try to print it

keyctl print <ID>

I get the most favorite message type in the Linux world: “F…K OFF!”, in this case Permission denied.

Any idea how to fix it?

A few things:

  • Is the cryptsetup password available to the user that zfs-load-key is running as?
  • Is keyctl in your initrd?
  • /usr/lib/dracut/modules.d/90zfs/zfs-load-key.sh will be overwritten every time zfs-utils updates

As a side note, couldn’t you do the opposite? Place a keyfile in your encrypted zfs filesystem and use the keyfile to unlock swap?

Sorry, I haven’t expressed myself very clearly: All I describe was done in initramfs during boot, so keyctl is present and I assume everything in initramfs is run as root.

Moreover the swap is being decrypted first (to be able to resume from hibernation).