Arch Linux

bsdard

Member

From: Surrey, UK

Registered: 2011-01-22

Posts: 15

Luks + gpg encrypted key + systemd = lots of pain

Hi there,

Basically I need to ask for a password interactively during the boot cycle. I've got a gpg encrypted file with a key, that needs to be decrypted and passed to luks during the boot process.
Before switching to systemd it was all nice - I just ran all I needed in rc.local (as simple as this). Now with systemd, I simply cannot make system ask for a password during the boot cycle to pass the password to the GPG to decrypt the key.
Did anyone have any experience with similar setups and what was wrong with init anyway? I find systemd error prone and way too complicated (eg. reading a whole lot of not well written documentation every time I need to change something in the system sounds scary) - always need to lookup some command while I have long BSD/Linux experience and appreciated the simplicity (hence the ArchLinux), but looks like the things have changed and arch is becoming rather "more" then "less" . Oh well...

How to make password prompt work and pass it to a mount script?

Here is what I  came up with so far. It works when systemctl start luks, but does not work when enabled during the boot time.
[Unit]
Description=Mount LUKS
Before= I need to run password prompt here (console) and then pass it to the script - is it possible? Obviously running systemd-ask-password from luks.sh does not work. Running it all from rc.local does not work either.

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/luks.sh  # systemd-ask-password, but it looks that even though oneshot is supposed to be a single (non-forked) process as per systemd documentation, it appears that its still run in background and I see systemd-ask-password is still sitting in the process list after the boot process has been finished. Also systemd is blocking service stdout/stdin, so there is no way to actually enter the password.
RemainAfterExit=no

[Install]
WantedBy=default.target

I see there is a plymouth password prompt tool but I could not find any documentation and configuration examples whatsoever.

Any help would be highly appreciated.

Thanks,
Alex

Last edited by bsdard (2012-12-26 17:59:04)

dr_te_z

Member

From: Zoetermeer, the Netherlands

Registered: 2006-12-06

Posts: 154

Re: Luks + gpg encrypted key + systemd = lots of pain

Not sure I understand your problem. Why does the "standard" entries in /etc/fstab and /etc/crypttab not work in your situation?

---

Somewhere between "too small" and "too large" lies the size that is just right.
- Scott Hayes

bsdard

Member

From: Surrey, UK

Registered: 2011-01-22

Posts: 15

Re: Luks + gpg encrypted key + systemd = lots of pain

Thanks for the prompt response.
Ok, the key to my partition is a file based key, which is GPG encrypted. In order to use the key, I need to enter the password to GPG to decrypt the key, so that it can be used by cryptsetup. As far as I know there is no way to get crypttab working in this scenario.
Before switching to systemd I used something like below in rc.local, which would prompt a password using pinentry-curses, just before the getty/qingy kicks in.

gpg --quiet --decrypt <key-file> | cryptsetup luksOpen /dev/sda# sda#
mount /dev/mapper/sda#

Now I simply cannot get systemd to allow the password prompt during the boot and this is what I need some advice for. I see there is a password prompt facility in systemd (plymouth), but I cannot find much documentation on how to use it properly for my purpose.

Last edited by bsdard (2012-12-27 12:19:21)

TBastiani

Member

Registered: 2011-06-10

Posts: 3

Re: Luks + gpg encrypted key + systemd = lots of pain

I'm slightly confused. Do you want a graphical prompt or  a plain cmdline one?

Also, you mention that your previous rc.local worked fine, can you paste it here?

bsdard

Member

From: Surrey, UK

Registered: 2011-01-22

Posts: 15

Re: Luks + gpg encrypted key + systemd = lots of pain

I want the console one the way it used to be (pinentry-curses or "/usr/bin/systemd-ask-password Password:" as I said), but neither works anymore.

whenever it is in rc.local - the systemd apparently blocks the stdin/stdout so I never see the password prompt (also when I get qingy prompt and login, I see the gpg password prompt is in the process list, I just don't see the prompt during the boot time).
I've created a systemd service but it does not work either when enabled during the boot. When I login as root and run systemctl start luks - it works just fine, but not during the boot sequence.

[Unit]
Description=Mount LUKS
After=rc-local.service  # I tried many options here but it does not work regardless

[Service]
Type=oneshot
ExecStart=/path/to/my/luks/script.sh # contents below
RemainAfterExit=no

That's all that was in the rc.local and was enough for it to work before I moved to systemd:

gpg --quiet --decrypt <key-file> | cryptsetup luksOpen /dev/sda# sda#
mount /dev/mapper/sda#

Apparently with systemd I need to create many config files and go through all this pain to make it work I wish there was at least an option to use systemd or the original system, which I find was perfect - simple and predictable.

Any ideas? Did anyone managed to get it working with systemd?

popso

Member

Registered: 2012-07-15

Posts: 17

Re: Luks + gpg encrypted key + systemd = lots of pain

Bump.

I have the same problem except i'm using truecrypt.

Edit:
I found a  solution on this thread.

The weird part is that fstab stop the boot process to let me type the password.

During my research, i came across this post, maybe it's more what you're looking for.

Last edited by popso (2013-01-22 14:42:31)

bsdard

Member

From: Surrey, UK

Registered: 2011-01-22

Posts: 15

Re: Luks + gpg encrypted key + systemd = lots of pain

Thanks for the response. I shall have a look at the provided links.

Bump.

I have the same problem except i'm using truecrypt.

Edit:
I found a  solution on this thread.

The weird part is that fstab stop the boot process to let me type the password.

During my research, i came across this post, maybe it's more what you're looking for.

I came across the link (post) before and actually used it in my systemd attempt, but it does not appear to work for me. Boot sequence won't stop and the password prompt ends up in the background.
<still trying to understand why systemd was a good change and yet cannot find an answer . It appears to be the biggest and ugliest (IMHO) system, meaning both SLOC and config files. How minimalistic is that?!>
Thanks.