[systemd-devel] Thoughts about /etc/crypttab keyscript options

Marc Haber mh+systemd-devel at zugschlus.de
Mon Jul 21 01:46:21 PDT 2014


I was recently bitten by the issue that systemd does not support the
keyscript= option in /etc/crypttab. I don't know whether keyscript= is
a Debian extension, but the migration to systemd (which was pulled in
by some new version of - I think - Network Manager) broke my system's
boot process, leaving me with all my filesystems locked since already
the root fs used to be unlocked by a keyscript.

I have read the thread (from 2012?) where those things were discussed
here and I understand that I should replace my keyscript with a
passwort agent. Things would then work like this:

systemd would try to unlock the root file system and place a ask.xxx
file in /run/systemd/ask-password

All running PasswordAgents (including my, non-interactive one and
all interactive ones) would act on that ask.xxx file.

The interactive password agents would present an interactive password

My PasswordAgent indicates taking responsibility by unlinking the
ask.xxx file from /run/systemd/ask-password. The interactive password
agents will remove their interactive requests then. The user will
therefore see the password request popping up for a very short period
of time, if at all.

Should my PasswordAgent need a password to act itself (like a PIN for
a hardware device, for example), it would place its own ask.xxx file
in /run/systemd/ask-password. The interactive PasswordAgents would
act on that, obtain the password/PIN interactively from the user and
return it to my PasswordAgent.

My PasswordAgent would then obtain the password for the file system
itself and return it to systemd which can now proceed to unlock the
file system.

Am I understanding things correctly so far?

If so, this leaves the task to write "my" PasswordAgent. I have found
some example code in python for a password agent.

To use this to unlock the root fs, an entire python installation would
need to go in my initramfs, right? And if I want to keep things
simple, the best idea would be to write my PasswordAgent in a compiled
language which would only need the binary and its libs in the
initramfs, right?

Is there code for an example PasswordAgent in C++ which I can use as a
template? I am quite reluctant to write a program which needs to to
complex string processing and is bound to run as root in C because my
C experience is somewhat lacking.

Can you please recommend a way to allow me to migrate to systemd?
Without keyscript= being supported in /etc/crypttab, I need to replace
my 50 line key script written in POSIX shell and would like to keep
things simple.

Thank you very much for your consideration.


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062

More information about the systemd-devel mailing list