Comment 14 for bug 139057

Here is a solution I am using in Lucid and Maverick, when not using LVM so as to alllow use of separately encrypted partitions. This is to support multi-disk video editing machines. It is crude and uses hardcoded UUID values for each partition, not reading crypttab for now. Eventually I will play with making it use the crypttab values, but I was simply seeking a quick solution when I wrote this. I've been using this for months with no problems.

ALGORITHM:

Steps:

1: prompt for pasphrase, cache in a variable in ram (runs in initramfs, nothing should write to any disk)

   a: if plymouth is running, use plymouth ask-for-passphrase

2: unlock encrypted volumes-hard code these into script for now

3: if cryptsetup returns error, go back to 1.

4: forcibly reset the variable to a string of zeros

5: Delete the variable

6: exit

INITRAMFS SCRIPT: Name Cryptall, remove cryptroot in /usr/share/initramfs-tools/scripts/local-top

#!/bin/sh
# This is a drop-in replacement for cryptsetup's cryptroot script. It
# caches the passphrase in ram, /tmp/unlocks all volumes, then deletes the
# cached passphrase
#
# Standard initramfs preamble
#
#HARDCODED FOR LUCID ON /DEV/SDA5
#
# Standard initramfs preamble
#
prereqs()
{
 # Make sure that cryptall is run last in local-top
 for req in $(dirname $0)/*; do
  script=${req##*/}
  if [ $script != cryptall ]; then
   echo $script
  fi
 done
}

case $1 in
prereqs)
 prereqs
 exit 0
 ;;
esac

plymouth "ask-for-password" --prompt="cryptsetup: unlocking all encrypted boot disks" > /tmp/unlock

cat /tmp/unlock | cryptsetup luksOpen /dev/sda5 cryptroot

 if [ -e /dev/mapper/cryptroot ] ; then

    plymouth message --text="cryptsetup: cryptroot setup successfully"

 else

    plymouth message --text="cryptsetup: unknown fstype, bad password or options?"

    plymouth "ask-for-password" --prompt="cryptsetup: unlocking all encrypted boot disks" > /tmp/unlock

    cat /tmp/unlock | cryptsetup luksOpen /dev/sda5 cryptroot
          if [ -e /dev/mapper/cryptroot ] ; then

               plymouth message --text="cryptsetup: cryptroot setup successfully"

          else

                plymouth message --text="cryptsetup: unknown fstype, bad password or options?"

                plymouth "ask-for-password" --prompt="cryptsetup: unlocking all encrypted boot disks" > /tmp/unlock

                cat /tmp/unlock | cryptsetup luksOpen /dev/sda5 cryptroot

                       if [ -e /dev/mapper/cryptroot ] ; then

                            plymouth message --text="cryptsetup: cryptroot setup successfully"

                        else

                            plymouth message --text="Are you sure you are authorized to boot this computer?"
                            exit 1

                        fi

          fi

 fi

cat /tmp/unlock | cryptsetup luksOpen /dev/sda8 crypthome

    if [ -e /dev/mapper/crypthome ] ; then

         plymouth message --text="cryptsetup: cryptroot setup successfully"

     else

          plymouth message --text="home directory passphrase does not match root key-you need to make a new home key"

    fi

cat /tmp/unlock | cryptsetup luksOpen /dev/sda7 cryptswap

    if [ -e /dev/mapper/crypthome ] ; then

1: prompt for pasphrase, cache in a variable in ram (initramfs
         plymouth message --text="cryptsetup: cryptswap setup successfully"

     else

          plymouth message --text="swap passphrase does not match root key-you need to make a new home key"

    fi

echo "0000000000000000000000000000000000000000000000000000000000000000" >/tmp/unlock
rm /tmp/unlock

exit 0