cryptsetup is integrated into the debian boot process to allow decrypting of volumes on boot. In Debian/Ubuntu (and maybe others) this integration includes a feature called 'keyscript' which can be added to /etc/crypttab.
When using a smartcard to unlock encrypted volumes (LUKS) a PIN must be entered. The process to ask for the pin is generally coded in the file referenced by 'keyscript'. The packages ship a particular script for this
-rwxr-xr-x 1 root root 953 Aug 23 2022 /usr/lib/cryptsetup/scripts/decrypt_gnupg-sc
Some of us want to change the process (e.g. if the smartcard is missing fall back to a passphrase prompt) which requires a different set of code. Adding the code directly to the default keyscript works until the next update where the file is overwritten.
NOTE: There are workarounds for this bug. This post is specifically about the bug--not workarounds.
Intuitively, if we have a keyscript option that we can edit in crypttab it makes sense to reference a different file. Multiple people have tried this but it DOES NOT WORK in the UBUNTU family. It has not worked for the last 6 years that I have been attempting it in every release of ubuntu. It does not work now (2025/6/25). The initramfs build and/or boot process refuse to use the custom script. Here is an example of how I configure it after getting the smartcard to work with the default process.
luks-device UUID=abcdefg /etc/cryptsetup-initramfs/cryptkey.gpg luks,keyscript=decrypt_gnupg-sc-custom
The custom script is 99% the same as the original with only 1 line to denote the difference. It will fail to work.
To recreate the problem follow the process below. Before running this test make sure you have updated to the latest kernels available in your distro. Here is the step by step to recreate this problem:
SCRIPT=/usr/lib/cryptsetup/scripts/decrypt_gnupg-sc
sudo cp $SCRIPT ${SCRIPT}-custom
#? sudo sed -i 's/exit $?/e=\$?; echo "Press Enter to Continue" ; read FOO ; exit \$e/' ${SCRIPT}-custom
sudo cp -a /etc/crypttab /etc/crypttab.orig
sudo sed -i 's/keyscript=decrypt_gnupg-sc/keyscript=decrypt_gnupg-sc-custom/g' /etc/crypttab
sudo update-initramfs -u -k `uname -r`
After the ramfs file is created, reboot and choose the default. This fails to boot. gives messages about not finding something or other.
To fix we have to choose a different boot option and change /etc/crypttab back then rebuild the ramfs
sudo cp /etc/crypttab.org /etc/crypttab
update-initramfs -u -k `uname -r`
The next reboot will work