fix(crypt): close crypt devices, so that encryption keys get released…

… on shutdown
dracutdevs · Aug 4, 2023 · f0e36e5 · f0e36e5
1 parent af3076a
commit f0e36e5
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/modules.d/90crypt/crypt-shutdown.sh b/modules.d/90crypt/crypt-shutdown.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Mark crypt devices for deferred removal.
+# The dm module removes holding devices, so
+# that the encryption keys can be released.
+dmsetup ls --target crypt | while read -r name _; do
+    if ! type "cryptsetup" > /dev/null 2>&1; then
+        warn "cryptsetup not installed, skipping closing of encrypted devices"
+        return
+    fi
+    cryptsetup close "$name" --deferred 2>&1 | vinfo
+done
diff --git a/modules.d/90crypt/module-setup.sh b/modules.d/90crypt/module-setup.sh
@@ -96,8 +96,12 @@ install() {
     fi
 
     inst_hook cmdline 30 "$moddir/parse-crypt.sh"
+    inst_hook shutdown 24 "$moddir/crypt-shutdown.sh"
+    if type "cryptsetup" > /dev/null 2>&1; then
+        inst_binary cryptsetup
+    fi
     if ! dracut_module_included "systemd"; then
-        inst_multiple cryptsetup rmdir readlink umount
+        inst_multiple rmdir readlink umount
         inst_script "$moddir"/cryptroot-ask.sh /sbin/cryptroot-ask
         inst_script "$moddir"/probe-keydev.sh /sbin/probe-keydev
         inst_hook cmdline 10 "$moddir/parse-keydev.sh"