I have LUKS-encrypted swap and encrypted ZFS using the same password. To avoid entering the same password twice during boot I thought of updating
/usr/lib/dracut/modules.d/90zfs/zfs-load-key.sh to read the cryptsetup password from the keyring. I can get the key ID with
$(keyctl list @u | grep cryptsetup | cut -d ':' -f 1)
but when I try to print it
keyctl print <ID>
I get the most favorite message type in the Linux world: “F…K OFF!”, in this case
Any idea how to fix it?
A few things:
- Is the cryptsetup password available to the user that zfs-load-key is running as?
keyctl in your initrd?
/usr/lib/dracut/modules.d/90zfs/zfs-load-key.sh will be overwritten every time
As a side note, couldn’t you do the opposite? Place a keyfile in your encrypted zfs filesystem and use the keyfile to unlock swap?
Sorry, I haven’t expressed myself very clearly: All I describe was done in initramfs during boot, so
keyctl is present and I assume everything in initramfs is run as root.
Moreover the swap is being decrypted first (to be able to resume from hibernation).