In initramfs, do not prompt if keylocation is "file://"

If the encryption key is stored in a file, the initramfs should not
prompt for the password. For example, this could be the case if the boot
partition is stored on removable media that is only present at boot time

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Garrett Fields <ghfields@gmail.com>
Reviewed-by: Richard Laager <rlaager@wiktel.com>
Reviewed-by: Kjeld Schouten <kjeld@schouten-lebbing.nl>
Signed-off-by: Sam Lunt <samuel.j.lunt@gmail.com>
Closes #9764
This commit is contained in:
sam-lunt 2019-12-26 12:55:20 -06:00 committed by Tony Hutter
parent 0d55a0957f
commit 5b8f560713
2 changed files with 20 additions and 7 deletions

View File

@ -37,10 +37,16 @@ fi
if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{print $1}'))" = 'active' ]; then if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{print $1}'))" = 'active' ]; then
# if the root dataset has encryption enabled # if the root dataset has encryption enabled
ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}") ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
# where the key is stored (in a file or loaded via prompt)
KEYLOCATION=$(${ZFS} get -H -o value keylocation "${ENCRYPTIONROOT}")
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")" KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
# continue only if the key needs to be loaded # continue only if the key needs to be loaded
[ "$KEYSTATUS" = "unavailable" ] || exit 0 [ "$KEYSTATUS" = "unavailable" ] || exit 0
# if key is stored in a file, do not prompt
if ! [ "${KEYLOCATION}" = "prompt" ]; then
zfs load-key "${ENCRYPTIONROOT}"
else
# decrypt them # decrypt them
TRY_COUNT=5 TRY_COUNT=5
while [ $TRY_COUNT -gt 0 ]; do while [ $TRY_COUNT -gt 0 ]; do
@ -49,3 +55,4 @@ if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{prin
done done
fi fi
fi fi
fi

View File

@ -411,6 +411,7 @@ decrypt_fs()
# Determine dataset that holds key for root dataset # Determine dataset that holds key for root dataset
ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)" ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)"
KEYLOCATION="$(get_fs_value "${ENCRYPTIONROOT}" keylocation)"
# If root dataset is encrypted... # If root dataset is encrypted...
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
@ -418,8 +419,13 @@ decrypt_fs()
# Continue only if the key needs to be loaded # Continue only if the key needs to be loaded
[ "$KEYSTATUS" = "unavailable" ] || return 0 [ "$KEYSTATUS" = "unavailable" ] || return 0
TRY_COUNT=3 TRY_COUNT=3
# If key is stored in a file, do not prompt
if ! [ "${KEYLOCATION}" = "prompt" ]; then
$ZFS load-key "${ENCRYPTIONROOT}"
# Prompt with plymouth, if active # Prompt with plymouth, if active
if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
while [ $TRY_COUNT -gt 0 ]; do while [ $TRY_COUNT -gt 0 ]; do
plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \ plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
$ZFS load-key "${ENCRYPTIONROOT}" && break $ZFS load-key "${ENCRYPTIONROOT}" && break