You are not logged in.

Pages: 1

#1 2019-08-29 19:59:39

TemporalShift
Member
Registered: 2019-08-29
Posts: 4

User input for encryption passphrase in initcpio hook

Hi all,

Newish Arch user here of a couple of months and I've been tinkering with my system today trying to make it do some nice things.

I wanted to set things up so that I could decrypt my system after boot by either
1) Inserting my PGP capable YubiKey and using it to decrypt a master keyfile
2) Entering a long passphrase, if I don't have the YubiKey on me for some reason but I really need to use the laptop

I installed this excellent little initcpio hook: https://github.com/fuhry/initramfs-scencrypt

Managed to get the YubiKey based decryption working, which is great!

Now here's the problem: supposedly this hook allows you to enter a passphrase manually if after 60 seconds you fail to plug in your YubiKey.

I found that this functionality does not work (at least for me).

The first problem I found was that it simply did not realize that a YubiKey hadn't been plugged in, due to what I believe was an error in the code from the author:
https://github.com/fuhry/initramfs-scen … t-hook#L13

I inserted a line after line 13:

return $result

This appeared to fix this problem, it was now correctly reaching the part of the script dealing with a passphrase based unlock.

I then ran into a much more annoying issue, every time it hit this part of the code it would display "Nothing to read on input" without giving me a chance to type a passphrase.

It appeared to be a problem with there not being an input console hooked up to STDIN and as such it was instantly failing. Looking earlier in the script I saw that the author used the line

0</dev/console 1>/dev/console 2>/dev/console

when running a GPG command that would ask for a PIN.

I added this after the command to open the drive with LUKS and voila, it now allowed me to enter the passphrase and login.

My question for someone experienced here is: why is this line needed? I checked the official encrypt hook bundled with Arch and it seems to work fine without any kind of redirection like shown above. Is there a cleaner way to do this without the /dev/console redirection?

Many thanks in advance.

Offline

#2 2019-08-29 20:35:43

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: User input for encryption passphrase in initcpio hook

Moving to AUR Issues...

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

Pages: 1

Board footer

Powered by FluxBB