diff options
| author | sam-lunt <[email protected]> | 2019-12-26 12:55:20 -0600 |
|---|---|---|
| committer | Brian Behlendorf <[email protected]> | 2019-12-26 10:55:20 -0800 |
| commit | ad353e214798619ef4244f84325eb48d8b1afdab (patch) | |
| tree | a04f8d895a8c32425b4cf1ae51bd6e13af6951f6 /contrib | |
| parent | 8cda5c5ce9dfd26591fa26b7be17347ef6091250 (diff) | |
In initramfs, do not prompt if keylocation is "file://"
If the encryption key is stored in a file, the initramfs should not
prompt for the password. For example, this could be the case if the boot
partition is stored on removable media that is only present at boot time
Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Garrett Fields <[email protected]>
Reviewed-by: Richard Laager <[email protected]>
Reviewed-by: Kjeld Schouten <[email protected]>
Signed-off-by: Sam Lunt <[email protected]>
Closes #9764
Diffstat (limited to 'contrib')
| -rwxr-xr-x | contrib/dracut/90zfs/zfs-load-key.sh.in | 19 | ||||
| -rw-r--r-- | contrib/initramfs/scripts/zfs.in | 8 |
2 files changed, 20 insertions, 7 deletions
diff --git a/contrib/dracut/90zfs/zfs-load-key.sh.in b/contrib/dracut/90zfs/zfs-load-key.sh.in index 88f43b6ed..4e945f14a 100755 --- a/contrib/dracut/90zfs/zfs-load-key.sh.in +++ b/contrib/dracut/90zfs/zfs-load-key.sh.in @@ -37,15 +37,22 @@ fi if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{print $1}'))" = 'active' ]; then # if the root dataset has encryption enabled ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}") + # where the key is stored (in a file or loaded via prompt) + KEYLOCATION=$(${ZFS} get -H -o value keylocation "${ENCRYPTIONROOT}") if ! [ "${ENCRYPTIONROOT}" = "-" ]; then KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")" # continue only if the key needs to be loaded [ "$KEYSTATUS" = "unavailable" ] || exit 0 - # decrypt them - TRY_COUNT=5 - while [ $TRY_COUNT -gt 0 ]; do - systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break - TRY_COUNT=$((TRY_COUNT - 1)) - done + # if key is stored in a file, do not prompt + if ! [ "${KEYLOCATION}" = "prompt" ]; then + zfs load-key "${ENCRYPTIONROOT}" + else + # decrypt them + TRY_COUNT=5 + while [ $TRY_COUNT -gt 0 ]; do + systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break + TRY_COUNT=$((TRY_COUNT - 1)) + done + fi fi fi diff --git a/contrib/initramfs/scripts/zfs.in b/contrib/initramfs/scripts/zfs.in index 4b04c4be4..4bbdf53a7 100644 --- a/contrib/initramfs/scripts/zfs.in +++ b/contrib/initramfs/scripts/zfs.in @@ -411,6 +411,7 @@ decrypt_fs() # Determine dataset that holds key for root dataset ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)" + KEYLOCATION="$(get_fs_value "${ENCRYPTIONROOT}" keylocation)" # If root dataset is encrypted... if ! [ "${ENCRYPTIONROOT}" = "-" ]; then @@ -418,8 +419,13 @@ decrypt_fs() # Continue only if the key needs to be loaded [ "$KEYSTATUS" = "unavailable" ] || return 0 TRY_COUNT=3 + + # If key is stored in a file, do not prompt + if ! [ "${KEYLOCATION}" = "prompt" ]; then + $ZFS load-key "${ENCRYPTIONROOT}" + # Prompt with plymouth, if active - if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then + elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then while [ $TRY_COUNT -gt 0 ]; do plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \ $ZFS load-key "${ENCRYPTIONROOT}" && break |