The dracut/plymouth versions used (004) have incomplete support of /etc/crypttab. In /usr/share/dracut/modules.d/50plymouth and 90crypt the cryptroot-ask.sh script parses /etc/crypttab for only the first 2 options. There are many more options listed in the cryptsetup manpages for crypttab. More specifically, there is an option to specify a keyfile, and/or a 'keyscript' option to execute a script in order to find the keyfile (e.g. mount usb device).<br />
<br />
My use case:<br />
I have a home server running CentOS (I also have a KVM vps with a hosting provider) to tinker with, and break without serious consequence, to practice sysadmin stuff. I want it to be encrypted so I can have it store backups of important files (family photos, tax records, etc.). I'll be putting it in my living room, and using ssh to control it. This makes it difficult to enter the passphrase over and over again when I'm changing configurations and rebooting all the time. My solution is to have an sd card plugged into the server that contains a key file. When I leave my home, I can either take the sd card with me, or put it in a locked/hidden place. <br />
Other (more enterprise-related) use cases include using an OTP device (yubikey) for two-factor authentication.<br />
<br />
I understand, and respect hesitancy to update dracut/plymouth to a less tested version, I wouldn't expect it to be added to the main repo anytime soon. Something in -testing would be fine.<br />
<br />
I debated whether to mark this as a feature or a bug, in the end I settled on bug because cryptsetup and /etc/crypttab are supposed to (as indicated in the man pages), and are expected to (by anyone reading the man pages), support these (and other) options.
↧