Skip loading already loaded key

Don't ask for the password / try to load the key if the key for the
encryptionroot is already loaded.  The user might have loaded the key
manually or by other means before the scripts get called.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Tom Caputi <tcaputi@datto.com>
Reviewed-by: Richard Laager <rlaager@wiktel.com>
Signed-off-by: Witaut Bajaryn <vitaut.bayaryn@gmail.com>
Closes #9495
Closes #9529
This commit is contained in:
Witaut Bajaryn 2019-11-08 23:34:07 +01:00 committed by Tony Hutter
parent 1253fcc70a
commit 618206c0b9
4 changed files with 17 additions and 5 deletions

View File

@ -62,11 +62,15 @@ if import_pool "${ZFS_POOL}" ; then
# if the root dataset has encryption enabled # if the root dataset has encryption enabled
ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${ZFS_DATASET}")" ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${ZFS_DATASET}")"
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
# decrypt them KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
ask_for_password \ # if the key needs to be loaded
--tries 5 \ if [ "$KEYSTATUS" = "unavailable" ]; then
--prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}: " \ # decrypt them
--cmd "zfs load-key '${ENCRYPTIONROOT}'" ask_for_password \
--tries 5 \
--prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}: " \
--cmd "zfs load-key '${ENCRYPTIONROOT}'"
fi
fi fi
fi fi
# Let us tell the initrd to run on shutdown. # Let us tell the initrd to run on shutdown.

View File

@ -38,6 +38,9 @@ if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{prin
# if the root dataset has encryption enabled # if the root dataset has encryption enabled
ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}") ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
# continue only if the key needs to be loaded
[ "$KEYSTATUS" = "unavailable" ] || exit 0
# decrypt them # decrypt them
TRY_COUNT=5 TRY_COUNT=5
while [ $TRY_COUNT -gt 0 ]; do while [ $TRY_COUNT -gt 0 ]; do

View File

@ -414,6 +414,9 @@ decrypt_fs()
# If root dataset is encrypted... # If root dataset is encrypted...
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
KEYSTATUS="$(${ZFS} get -H -o value keystatus "${ENCRYPTIONROOT}")"
# Continue only if the key needs to be loaded
[ "$KEYSTATUS" = "unavailable" ] || return 0
TRY_COUNT=3 TRY_COUNT=3
# Prompt with plymouth, if active # Prompt with plymouth, if active
if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then

View File

@ -182,6 +182,8 @@ process_line() {
keyloadcmd="@sbindir@/zfs load-key '${dataset}'" keyloadcmd="@sbindir@/zfs load-key '${dataset}'"
elif [ "${p_keyloc}" = "prompt" ] ; then elif [ "${p_keyloc}" = "prompt" ] ; then
keyloadcmd="sh -c 'set -eu;"\ keyloadcmd="sh -c 'set -eu;"\
"keystatus=\"\$\$(@sbindir@/zfs get -H -o value keystatus \"${dataset}\")\";"\
"[ \"\$\$keystatus\" = \"unavailable\" ] || exit 0;"\
"count=0;"\ "count=0;"\
"while [ \$\$count -lt 3 ];do"\ "while [ \$\$count -lt 3 ];do"\
" systemd-ask-password --id=\"zfs:${dataset}\""\ " systemd-ask-password --id=\"zfs:${dataset}\""\