[systemd-devel] trying to hook into the luks crypt function in initramfs
Lennart Poettering
lennart at poettering.net
Fri Jul 13 14:42:49 UTC 2018
On Fr, 06.07.18 01:25, Ratliff, John (jdratlif at iu.edu) wrote:
> I'd like to be able to unlock my luks encrypted drive (lvm -
> including the root partition) with a USB key, but if the USB key is
> not present, still ask for a passphrase.
>
> I'm not clear on how systemd does the unlock during boot, but it
> seems that Fedora 28 and CentOS/RHEL 7 both use systemd for this
> task. Where would I look to change the behavior to do what I'm
> looking for?
>
> In Debian/Ubuntu, there is a keyscript file that gets put into the
> initramfs, but I don't think theirs is systemd based. Arch has a
> similar method with a hook, but I've only used it with the
> non-systemd initramfs. Fedora has a crypt module, but I have to
> disable systemd or it won't work. I'm not sure what systemd is doing
> in the initramfs, so I'm not sure if I want to disable that module
> or not. I'm hoping there's a better way to interact with systemd.
systemd does not support keyscript, and there are no plans to add
this.
There's currently no easy way to do what you are trying to do, and
deal with the races inherent to the idea (i.e. the device the LUKS
volume is on might appear earlier or later than the USB key, hence
there must be a way).
My recommendation would be to hack up a small tool implementing this
concept:
https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/
Such a tool would look for the USB key as soon as the password is
queried, and supply it to the querier instantly.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list