Skip to content

Commit

Permalink
In initramfs, do not prompt if keylocation is "file://"
Browse files Browse the repository at this point in the history
If the encryption key is stored in a file, the initramfs should not
prompt for the password. For example, this could be the case if the boot
partition is stored on removable media that is only present at boot time

Signed-off-by: Sam Lunt <samuel.j.lunt@gmail.com>
  • Loading branch information
sam-lunt committed Dec 23, 2019
1 parent 54aefa6 commit ba92a8a
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 7 deletions.
19 changes: 13 additions & 6 deletions contrib/dracut/90zfs/zfs-load-key.sh.in
Original file line number Diff line number Diff line change
Expand Up @@ -37,15 +37,22 @@ fi
if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{print $1}'))" = 'active' ]; then
# if the root dataset has encryption enabled
ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
# where the key is stored (in a file or loaded via prompt)
KEYLOCATION=$(${ZFS} get -H -o value keylocation "${ENCRYPTIONROOT}")
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
# continue only if the key needs to be loaded
[ "$KEYSTATUS" = "unavailable" ] || exit 0
# decrypt them
TRY_COUNT=5
while [ $TRY_COUNT -gt 0 ]; do
systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break
TRY_COUNT=$((TRY_COUNT - 1))
done
# if key is stored in a file, do not prompt
if ! [ "${KEYLOCATION}" = "prompt" ]; then
zfs load-key "${ENCRYPTIONROOT}"
else
# decrypt them
TRY_COUNT=5
while [ $TRY_COUNT -gt 0 ]; do
systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break
TRY_COUNT=$((TRY_COUNT - 1))
done
fi
fi
fi
8 changes: 7 additions & 1 deletion contrib/initramfs/scripts/zfs.in
Original file line number Diff line number Diff line change
Expand Up @@ -411,15 +411,21 @@ decrypt_fs()

# Determine dataset that holds key for root dataset
ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)"
KEYLOCATION="$(${ZFS} get -H -o value keylocation "${ENCRYPTIONROOT}")"

# If root dataset is encrypted...
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
KEYSTATUS="$(get_fs_value "${ENCRYPTIONROOT}" keystatus)"
# Continue only if the key needs to be loaded
[ "$KEYSTATUS" = "unavailable" ] || return 0
TRY_COUNT=3

# If keylocation is not "prompt", do not load key with a prompt helper
if ! [ "${KEYLOCATION}" = "prompt" ]; then
$ZFS load-key "${ENCRYPTIONROOT}"

# Prompt with plymouth, if active
if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
while [ $TRY_COUNT -gt 0 ]; do
plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
$ZFS load-key "${ENCRYPTIONROOT}" && break
Expand Down

0 comments on commit ba92a8a

Please sign in to comment.