Do not supply passphrase when killing keyslot. (#868)

2026-03-26 21:33:25 +00:00 · 2025-04-27 22:19:12 +02:00
parent aa9e7b6dfb
commit 04a0d38e3b
2 changed files with 10 additions and 4 deletions
--- a/changelogs/fragments/868-luks-remove-keyslot.yml
+++ b/changelogs/fragments/868-luks-remove-keyslot.yml
@@ -0,0 +1,4 @@
+bugfixes:
+  - "luks_device - removing a specific keyslot with ``remove_keyslot`` caused the module to hang while cryptsetup was waiting for a passphrase from stdin,
+     while the module did not supply one. Since a keyslot is not necessary, do not provide one
+     (https://github.com/ansible-collections/community.crypto/issues/864, https://github.com/ansible-collections/community.crypto/pull/868)."
--- a/plugins/modules/luks_device.py
+++ b/plugins/modules/luks_device.py
@@ -759,12 +759,14 @@ class CryptHandler(Handler):

        if keyslot is None:
            args = [self._cryptsetup_bin, 'luksRemoveKey', device, '-q']
+            if keyfile:
+                args.extend(['--key-file', keyfile])
+            elif passphrase is not None:
+                args.extend(['--key-file', '-'])
        else:
+            # Since we supply -q no passphrase is needed
            args = [self._cryptsetup_bin, 'luksKillSlot', device, '-q', str(keyslot)]
-        if keyfile:
-            args.extend(['--key-file', keyfile])
-        else:
-            args.extend(['--key-file', '-'])
+            passphrase = None
        result = self._run_command(args, data=passphrase)
        if result[RETURN_CODE] != 0:
            raise ValueError('Error while removing LUKS key from %s: %s'