Merge pull request #2769 from OSInside/fix_restore_of_keyfile

Fixed restore of keyfile after reencryption

Author: schaefi

build-tests/x86/tumbleweed/test-image-luks/appliance.kiwi

@@ -48,7 +48,7 @@
         </type>
     </preferences>
     <preferences profiles="ReEncryptExtraBootWithPass">
-        <type image="oem" filesystem="ext4" kernelcmdline="console=ttyS0 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet" firmware="uefi" luks="linux" luks_version="luks2" luks_pbkdf="pbkdf2" bootpartition="true">
+        <type image="oem" filesystem="ext4" kernelcmdline="console=ttyS0 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet" firmware="uefi" luks="random" luks_version="luks2" luks_pbkdf="pbkdf2" bootpartition="true">
             <luksformat>
                 <option name="--cipher" value="aes-xts-plain64"/>
                 <option name="--key-size" value="256"/>

dracut/modules.d/99kiwi-lib/kiwi-luks-lib.sh

@@ -81,8 +81,8 @@ function reencrypt_luks {
             "${device}" 2>&1 | sed -u 's/.* \([0-9]*\)[0-9.]*%.*/\1/'
         ) >"${progress}" &
         run_progress_dialog "${load_text}" "${title_text}"
-        if [ -e "${keyfile}" ];then
-            # re-add keyfile if present
+        if [ -e "${keyfile}" ] && [ ! -e "${new_keyfile}" ];then
+            # re-add keyfile if present and no other keyfile was created
             cryptsetup --key-file "${passphrase_file}" luksAddKey \
                 "${device}" "${keyfile}"
         fi