[systemd-devel] Hiding systemd-cryptsetup password prompt

Sergio Arroutbi sarroutb at redhat.com
Thu Jun 6 17:42:10 UTC 2024 

Hello Lennart. Thanks for your response. I did not express myself correctly.

On Thu, Jun 6, 2024 at 7:05 PM Lennart Poettering <lennart at poettering.net>
wrote:

> On Mi, 05.06.24 15:36, Sergio Arroutbi (sarroutb at redhat.com) wrote:
>
> > Hello. I have tried with headless=yes. The issue with this is that
> > systemd-cryptsetup ends, so I can not provide the password for decryption
> > through socket provided in /run/systemd/ask-password/sck.numbers
> >
> > I miss an option where systemd-cryptsetup is executed headless, but
> > continues running, without exiting.
> >
> > I have tried with keyfile=/dev/urandom and option=keyfile-size=600000,
> but
> > it is too quick. I also tried try-empty-password, but this is tried only
> > once.
> >
> > I am running out of ideas.
>
> Hmm, I am not sure I follow? So do you or do you not want cryptsetup
> ask for passwrds via the ask-password agent stuff?
>

We are developing a PKCS11 plugin for Clevis (
https://github.com/latchset/clevis). Clevis allows automatic boot encrypted
disks unlocking by storing some information into LUKS metadata.
To do so, it is executed in parallel to systemd-cryptsetup and, while the
password is prompted to the user (and the agent runs), Clevis provides the
key
by writing to the systemd-cryptsetup ask-password socket.


>
> I initially thought you don't, but now you do?
>

Let me explain myself. What we want now is to disable systemd-cryptenroll
password prompt at boot, (as our software already asks for the PKCS11 PIN),
and provide the password as we are doing now,
by using the socket provided through the agent system. We just want
systemd-cryptenroll to not ask for a password in the boot console. I don´t
know if there is an option to disable it,
as using "headless" makes our software not able to communicate the PIN to
systemd-cryptenroll. I have tried using a "fake" keyfile (/dev/urandom) in
crypttab with the highest possible length,
but systemd-cryptenroll ends. I have also tried other crypttab options
(such as retries, other timeouts, etc.), with no luck.
Ideally, a mechanism to make systemd-cryptsetup to be waiting for the
password through the agent (and not the console) would be enough.


>
> Or do you want to filter stuff, i.e. that
> systemd-ask-password-agent-tty only does its thing if asked for some
> passwords, but not for others?
>

According to api-password.h, (systemd/src/shared/) you can provide
different options:
        ASK_PASSWORD_ACCEPT_CACHED = 1 << 0, /* read from kernel keyring */


...
        ASK_PASSWORD_NO_TTY        = 1 << 4, /* never ask for password on
tty */
...

        ASK_PASSWORD_HEADLESS      = 1 << 9, /* headless mode: never query
interactively */

So, using headless mode in crypttab should be the way, but it makes
systemd-cryptsetup to exit, and we can not inject the password.


> if that's what you want, let's take a step back, what are you actually
> trying to do? Can you describe your scenario better?
>

I hope the previous description helps.


>
> Lennart
>
> --
> Lennart Poettering, Berlin
>
>
Thank you very much
-- 
Sergio Arroutbi Braojos
Senior Software Engineer at Red Hat - Special Projects (SECENGSP)
Red Hat <http://redhat.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240606/376ffc22/attachment-0001.htm>

More information about the systemd-devel mailing list