Package: cryptsetup
Version: cryptsetup 2.6.1
Severity: normal
X-Debbugs-Cc: deb@mailon.mozmail.com

Dear Maintainer,

The crypttab which is part of the cryptsetup package in its man page does not include the option _netdev. _netdev is required for unlocking Luks volumes via Clevis/Tang.

Confirmed that the block device is not unlocked without this option in the crypttab even though it is not documented. The manpages in freedesktop.org has this option (_netdev)
documented (https://www.freedesktop.org/software/systemd/man/latest/crypttab.html)



My current crypttab which works is like this

bdrive LABEL="bdisk" none _netdev,luks

Also crypttab with _netdev alone does not seem to unlock the luks volume and the volume is only unlocked when a corresponding entry with _netdev exists in /etc/fstab like
the one below

/dev/mapper/bdrive /mnt/disk1 xfs defaults,_netdev 0 2

Earlier behavior was that if crypttab has the _netdev option the luks device is unlocked but not mounted. In the latest version it will work only when it is decrypted and
mounted. Also if the /etc/fstab option is not present the disk is not unlocked even if the noauto is not configured in crypttab and everythign silently fails without any logs
in Journald or anywhere as if crypttab itself is not processed.

The desired option would be

(1) Crypttab manual states clearly the _netdev option
(2) Crypttab should be able to unlock the luks volume without mounting it using fstab as suggested by the freeesktop manual.
(3) If crypttab mount fails there should be an error in the journal log rather than silently failing.



-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:2.6.1-4~deb12u2
ii debconf [debconf-2.0] 1.5.82
ii dmsetup 2:1.02.185-2
ii libc6 2.36-9+deb12u4

cryptsetup recommends no packages.

Versions of packages cryptsetup suggests:
pn cryptsetup-initramfs <none>
ii dosfstools 4.2-1
pn keyutils <none>
ii liblocale-gettext-perl 1.07-5

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 2024-03-09 at 16:06 -0600, bigops wrote:

The crypttab which is part of the cryptsetup package in its man page
does not include the option _netdev.  _netdev is required for
unlocking Luks volumes via Clevis/Tang.

Confirmed that the block device is not unlocked without this option
in the crypttab even though it is not documented. The manpages in freedesktop.org has this option (_netdev)
documented (https://www.freedesktop.org/software/systemd/man/latest/crypttab.htm
l)

That's because it's from systemd's crypttab, which is a latter
development that is in incompatible but uses the same filename.

crypttab(5) manpage already contains a reference on that:

ON DIFFERENT CRYPTTAB FORMATS
Please note that there are several independent cryptsetup wrappers with
their own crypttab format. This manpage covers Debian's implementation
for initramfs scripts and SysVinit init scripts. systemd brings its own
crypttab implementation. We try to cover the differences between the
systemd and our implementation in this manpage, but if in doubt, better
check the systemd crypttab(5) manpage, e.g. online at
https://www.freedesktop.org/software/systemd/man/crypttab.html.

Cheers,
Chris.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)