From f8ea8307812b7d949954967f680b737c5a22ae78 Mon Sep 17 00:00:00 2001 From: Sam Lunt Date: Sun, 22 Dec 2019 11:57:01 -0600 Subject: [PATCH] In initramfs, do not prompt if keylocation is "file://" If the encryption key is stored in a file, the initramfs should not prompt for the password. For example, this could be the case if the boot partition is stored on removable media that is only present at boot time Signed-Off-By: Sam Lunt --- contrib/dracut/90zfs/zfs-load-key.sh.in | 19 +++++++++++++------ contrib/initramfs/scripts/zfs.in | 8 +++++++- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/contrib/dracut/90zfs/zfs-load-key.sh.in b/contrib/dracut/90zfs/zfs-load-key.sh.in index 88f43b6edc6..4e945f14abb 100755 --- a/contrib/dracut/90zfs/zfs-load-key.sh.in +++ b/contrib/dracut/90zfs/zfs-load-key.sh.in @@ -37,15 +37,22 @@ fi if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{print $1}'))" = 'active' ]; then # if the root dataset has encryption enabled ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}") + # where the key is stored (in a file or loaded via prompt) + KEYLOCATION=$(${ZFS} get -H -o value keylocation "${ENCRYPTIONROOT}") if ! [ "${ENCRYPTIONROOT}" = "-" ]; then KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")" # continue only if the key needs to be loaded [ "$KEYSTATUS" = "unavailable" ] || exit 0 - # decrypt them - TRY_COUNT=5 - while [ $TRY_COUNT -gt 0 ]; do - systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break - TRY_COUNT=$((TRY_COUNT - 1)) - done + # if key is stored in a file, do not prompt + if ! [ "${KEYLOCATION}" = "prompt" ]; then + zfs load-key "${ENCRYPTIONROOT}" + else + # decrypt them + TRY_COUNT=5 + while [ $TRY_COUNT -gt 0 ]; do + systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break + TRY_COUNT=$((TRY_COUNT - 1)) + done + fi fi fi diff --git a/contrib/initramfs/scripts/zfs.in b/contrib/initramfs/scripts/zfs.in index 4b04c4be4d4..9f2a0bf5a56 100644 --- a/contrib/initramfs/scripts/zfs.in +++ b/contrib/initramfs/scripts/zfs.in @@ -411,6 +411,7 @@ decrypt_fs() # Determine dataset that holds key for root dataset ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)" + KEYLOCATION="$(${ZFS} get -H -o value keylocation "${ENCRYPTIONROOT}")" # If root dataset is encrypted... if ! [ "${ENCRYPTIONROOT}" = "-" ]; then @@ -418,8 +419,13 @@ decrypt_fs() # Continue only if the key needs to be loaded [ "$KEYSTATUS" = "unavailable" ] || return 0 TRY_COUNT=3 + + # If keylocation is not "prompt", do not load key with a prompt helper + if ! [ "${KEYLOCATION}" = "prompt" ]; then + $ZFS load-key "${ENCRYPTIONROOT}" + # Prompt with plymouth, if active - if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then + elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then while [ $TRY_COUNT -gt 0 ]; do plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \ $ZFS load-key "${ENCRYPTIONROOT}" && break