mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2024-12-25 18:59:33 +03:00
In initramfs, do not prompt if keylocation is "file://"
If the encryption key is stored in a file, the initramfs should not prompt for the password. For example, this could be the case if the boot partition is stored on removable media that is only present at boot time Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Garrett Fields <ghfields@gmail.com> Reviewed-by: Richard Laager <rlaager@wiktel.com> Reviewed-by: Kjeld Schouten <kjeld@schouten-lebbing.nl> Signed-off-by: Sam Lunt <samuel.j.lunt@gmail.com> Closes #9764
This commit is contained in:
parent
0d55a0957f
commit
5b8f560713
@ -37,15 +37,22 @@ fi
|
|||||||
if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{print $1}'))" = 'active' ]; then
|
if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{print $1}'))" = 'active' ]; then
|
||||||
# if the root dataset has encryption enabled
|
# if the root dataset has encryption enabled
|
||||||
ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
|
ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
|
||||||
|
# where the key is stored (in a file or loaded via prompt)
|
||||||
|
KEYLOCATION=$(${ZFS} get -H -o value keylocation "${ENCRYPTIONROOT}")
|
||||||
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
||||||
KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
|
KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
|
||||||
# continue only if the key needs to be loaded
|
# continue only if the key needs to be loaded
|
||||||
[ "$KEYSTATUS" = "unavailable" ] || exit 0
|
[ "$KEYSTATUS" = "unavailable" ] || exit 0
|
||||||
# decrypt them
|
# if key is stored in a file, do not prompt
|
||||||
TRY_COUNT=5
|
if ! [ "${KEYLOCATION}" = "prompt" ]; then
|
||||||
while [ $TRY_COUNT -gt 0 ]; do
|
zfs load-key "${ENCRYPTIONROOT}"
|
||||||
systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break
|
else
|
||||||
TRY_COUNT=$((TRY_COUNT - 1))
|
# decrypt them
|
||||||
done
|
TRY_COUNT=5
|
||||||
|
while [ $TRY_COUNT -gt 0 ]; do
|
||||||
|
systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break
|
||||||
|
TRY_COUNT=$((TRY_COUNT - 1))
|
||||||
|
done
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -411,6 +411,7 @@ decrypt_fs()
|
|||||||
|
|
||||||
# Determine dataset that holds key for root dataset
|
# Determine dataset that holds key for root dataset
|
||||||
ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)"
|
ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)"
|
||||||
|
KEYLOCATION="$(get_fs_value "${ENCRYPTIONROOT}" keylocation)"
|
||||||
|
|
||||||
# If root dataset is encrypted...
|
# If root dataset is encrypted...
|
||||||
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
||||||
@ -418,8 +419,13 @@ decrypt_fs()
|
|||||||
# Continue only if the key needs to be loaded
|
# Continue only if the key needs to be loaded
|
||||||
[ "$KEYSTATUS" = "unavailable" ] || return 0
|
[ "$KEYSTATUS" = "unavailable" ] || return 0
|
||||||
TRY_COUNT=3
|
TRY_COUNT=3
|
||||||
|
|
||||||
|
# If key is stored in a file, do not prompt
|
||||||
|
if ! [ "${KEYLOCATION}" = "prompt" ]; then
|
||||||
|
$ZFS load-key "${ENCRYPTIONROOT}"
|
||||||
|
|
||||||
# Prompt with plymouth, if active
|
# Prompt with plymouth, if active
|
||||||
if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
|
elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
|
||||||
while [ $TRY_COUNT -gt 0 ]; do
|
while [ $TRY_COUNT -gt 0 ]; do
|
||||||
plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
|
plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
|
||||||
$ZFS load-key "${ENCRYPTIONROOT}" && break
|
$ZFS load-key "${ENCRYPTIONROOT}" && break
|
||||||
|
Loading…
Reference in New Issue
Block a user