mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2024-12-25 18:59:33 +03:00
Skip loading already loaded key
Don't ask for the password / try to load the key if the key for the encryptionroot is already loaded. The user might have loaded the key manually or by other means before the scripts get called. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Tom Caputi <tcaputi@datto.com> Reviewed-by: Richard Laager <rlaager@wiktel.com> Signed-off-by: Witaut Bajaryn <vitaut.bayaryn@gmail.com> Closes #9495 Closes #9529
This commit is contained in:
parent
1253fcc70a
commit
618206c0b9
@ -62,11 +62,15 @@ if import_pool "${ZFS_POOL}" ; then
|
|||||||
# if the root dataset has encryption enabled
|
# if the root dataset has encryption enabled
|
||||||
ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${ZFS_DATASET}")"
|
ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${ZFS_DATASET}")"
|
||||||
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
||||||
# decrypt them
|
KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
|
||||||
ask_for_password \
|
# if the key needs to be loaded
|
||||||
--tries 5 \
|
if [ "$KEYSTATUS" = "unavailable" ]; then
|
||||||
--prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}: " \
|
# decrypt them
|
||||||
--cmd "zfs load-key '${ENCRYPTIONROOT}'"
|
ask_for_password \
|
||||||
|
--tries 5 \
|
||||||
|
--prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}: " \
|
||||||
|
--cmd "zfs load-key '${ENCRYPTIONROOT}'"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# Let us tell the initrd to run on shutdown.
|
# Let us tell the initrd to run on shutdown.
|
||||||
|
@ -38,6 +38,9 @@ if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{prin
|
|||||||
# if the root dataset has encryption enabled
|
# if the root dataset has encryption enabled
|
||||||
ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
|
ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
|
||||||
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
||||||
|
KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
|
||||||
|
# continue only if the key needs to be loaded
|
||||||
|
[ "$KEYSTATUS" = "unavailable" ] || exit 0
|
||||||
# decrypt them
|
# decrypt them
|
||||||
TRY_COUNT=5
|
TRY_COUNT=5
|
||||||
while [ $TRY_COUNT -gt 0 ]; do
|
while [ $TRY_COUNT -gt 0 ]; do
|
||||||
|
@ -414,6 +414,9 @@ decrypt_fs()
|
|||||||
|
|
||||||
# If root dataset is encrypted...
|
# If root dataset is encrypted...
|
||||||
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
||||||
|
KEYSTATUS="$(${ZFS} get -H -o value keystatus "${ENCRYPTIONROOT}")"
|
||||||
|
# Continue only if the key needs to be loaded
|
||||||
|
[ "$KEYSTATUS" = "unavailable" ] || return 0
|
||||||
TRY_COUNT=3
|
TRY_COUNT=3
|
||||||
# Prompt with plymouth, if active
|
# Prompt with plymouth, if active
|
||||||
if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
|
if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
|
||||||
|
@ -182,6 +182,8 @@ process_line() {
|
|||||||
keyloadcmd="@sbindir@/zfs load-key '${dataset}'"
|
keyloadcmd="@sbindir@/zfs load-key '${dataset}'"
|
||||||
elif [ "${p_keyloc}" = "prompt" ] ; then
|
elif [ "${p_keyloc}" = "prompt" ] ; then
|
||||||
keyloadcmd="sh -c 'set -eu;"\
|
keyloadcmd="sh -c 'set -eu;"\
|
||||||
|
"keystatus=\"\$\$(@sbindir@/zfs get -H -o value keystatus \"${dataset}\")\";"\
|
||||||
|
"[ \"\$\$keystatus\" = \"unavailable\" ] || exit 0;"\
|
||||||
"count=0;"\
|
"count=0;"\
|
||||||
"while [ \$\$count -lt 3 ];do"\
|
"while [ \$\$count -lt 3 ];do"\
|
||||||
" systemd-ask-password --id=\"zfs:${dataset}\""\
|
" systemd-ask-password --id=\"zfs:${dataset}\""\
|
||||||
|
Loading…
Reference in New Issue
Block a user