Do not supply passphrase when killing keyslot. (#868)

2026-03-26 21:33:25 +00:00 · 2025-04-27 22:19:12 +02:00
parent aa9e7b6dfb
commit 04a0d38e3b
2 changed files with 10 additions and 4 deletions
--- a/plugins/modules/luks_device.py
+++ b/plugins/modules/luks_device.py
@@ -759,12 +759,14 @@ class CryptHandler(Handler):

        if keyslot is None:
            args = [self._cryptsetup_bin, 'luksRemoveKey', device, '-q']
+            if keyfile:
+                args.extend(['--key-file', keyfile])
+            elif passphrase is not None:
+                args.extend(['--key-file', '-'])
        else:
+            # Since we supply -q no passphrase is needed
            args = [self._cryptsetup_bin, 'luksKillSlot', device, '-q', str(keyslot)]
-        if keyfile:
-            args.extend(['--key-file', keyfile])
-        else:
-            args.extend(['--key-file', '-'])
+            passphrase = None
        result = self._run_command(args, data=passphrase)
        if result[RETURN_CODE] != 0:
            raise ValueError('Error while removing LUKS key from %s: %s'