[systemd-devel] Thoughts about /etc/crypttab keyscript options

Lennart Poettering lennart at poettering.net
Thu Aug 14 10:44:59 PDT 2014

On Mon, 21.07.14 10:46, Marc Haber (mh+systemd-devel at zugschlus.de) wrote:


> I have read the thread (from 2012?) where those things were discussed
> here and I understand that I should replace my keyscript with a
> passwort agent. Things would then work like this:

There's currently no streamlined support for stacking password questions
really. You currently cannot "take possession" of specific password

Also note that we really should redesign the entire scheme around the
kernel keyring as only transport for the keys (and the bus for
signalling). I am a bit conservative in changing here too much for now,
because we really should figure out that bit first.

> (4)
> My PasswordAgent indicates taking responsibility by unlinking the
> ask.xxx file from /run/systemd/ask-password. The interactive password

Well, so far it is the querier that removes the file, not the agent...

> agents will remove their interactive requests then. The user will
> therefore see the password request popping up for a very short period
> of time, if at all.
> (5)
> Should my PasswordAgent need a password to act itself (like a PIN for
> a hardware device, for example), it would place its own ask.xxx file
> in /run/systemd/ask-password. The interactive PasswordAgents would
> act on that, obtain the password/PIN interactively from the user and
> return it to my PasswordAgent.
> (6)
> My PasswordAgent would then obtain the password for the file system
> itself and return it to systemd which can now proceed to unlock the
> file system.
> Am I understanding things correctly so far?

Yes, this should indeed work.

> If so, this leaves the task to write "my" PasswordAgent. I have found
> some example code in python for a password agent.
> To use this to unlock the root fs, an entire python installation would
> need to go in my initramfs, right? And if I want to keep things
> simple, the best idea would be to write my PasswordAgent in a compiled
> language which would only need the binary and its libs in the
> initramfs, right?

Yes. Correct. If you want to stick something into the initrd, I'd always
do things in C (or shell if you must), but nothing else.

> Is there code for an example PasswordAgent in C++ which I can use as a
> template? I am quite reluctant to write a program which needs to to
> complex string processing and is bound to run as root in C because my
> C experience is somewhat lacking.

Not aware of an C++ code. There's a vala one, and of course the one we
ship in systemd itself in C, but c++ i cannot help you with, sorry.

> Can you please recommend a way to allow me to migrate to systemd?
> Without keyscript= being supported in /etc/crypttab, I need to replace
> my 50 line key script written in POSIX shell and would like to keep
> things simple.
> Thank you very much for your consideration.

I fear I don#t have an easy suggestion. What kind of device do you
actually want to make work here? some smartcard or so?

I think in the long run we should somehow work towards the direction to
make things like that just work, for common devices like smartcards and
other auth tokens...


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list