LUKS password prompt; suspend

flx · 2007-11-28 17:43:10

I just did a fresh Arch install using the Archlinux-i686-2007.11-0.4.core.iso and following the LUKS Encrypted Root how-to in the wiki to set up encrypted /, /home, and swap partitions. Everything works fine except for two issues:

1) On boot, the LUKS prompt asking for my password gets overwritten by USB-related boot messages. Hitting the Enter key gives me a new prompt and I can enter my password, so this is merely a cosmetic problem.

2) I haven't had any luck trying to get µswsusp to work. Is this at all possible with an encrypted swap?

Thanks for any hints.

timtux · 2007-12-02 23:34:00

Wrote a patch for the pw prompt some months ago. Use it at your own risk

--- lib/initcpio/hooks/encrypt  2007-06-21 18:26:42.000000000 +0200
+++ /lib/initcpio/hooks/encrypt 2007-08-16 14:30:37.000000000 +0200
@@ -60,8 +60,19 @@
             fi
             # Ask for a passphrase
             if [ ${dopassphrase} -gt 0 ]; then
-                echo ""
-                echo "A password is required to access the ${cryptname} volume:"
+               blue='\033[1;35m'
+               white='\033[0;34m'
+               reset='\033[0m'
+               echo "\033[H\033[2J                                                             "
+               echo "                                                                          "
+               echo "$blue                    __        $white                                 "
+               echo "$blue  ___ __ __ __ ____|  |___ $white                                    "
+               echo "$blue | __'  |  '__| ___|  '   |$white  Don't panic, this is an           "
+               echo "$blue |___,__|__|  |____|__||__|$white  Encrypted System                  "
+               echo "$blue  ------------------------ $white                                    "
+               echo "$reset                                                                    "
+               echo "                                                                          "
+               echo " A password is required to access the ${cryptname} volume:\033[37;40m     "
 
                 #loop until we get a real password
                 while ! eval /bin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do

Last edited by timtux (2007-12-02 23:34:27)

Ibex · 2008-01-28 15:14:23

I'd like to kick this thread up again. I have the same problem as flx mentioned in the startpost. When the system asks me for the LUKS password, the prompt is flooded with messages about usb. I can simply enter my password, hit ENTER and continue, but it's not good looking.

Maybe the patch above helps, but I don't know how to use the patch. Maby somebody can help?

chimeric · 2008-01-28 15:32:13

Ibex wrote:

I'd like to kick this thread up again. I have the same problem as flx mentioned in the startpost. When the system asks me for the LUKS password, the prompt is flooded with messages about usb. I can simply enter my password, hit ENTER and continue, but it's not good looking.

I have the same "problem" but I find it more useful than disturbing. You know that you have to enter a password when the boot process stops at that moment. Just look at it from the "security through obscurity" angle, everyone else who gets his/her/its hand on your laptop would have to figure that out first .

You can apply the patch via the "patch" program. The file to which to apply the patch appears in the first 2 lines of the above patch.

timtux · 2008-01-28 17:42:16

This is the current patch as of 2007-11-15, cryptsetup version 1.0.5-5.

--- /lib/initcpio/hooks/encrypt 2007-11-15 19:15:21.000000000 +0100
+++ /lib/initcpio/hooks/encrypt 2008-01-28 18:22:50.000000000 +0100
@@ -60,10 +60,24 @@ run_hook ()
             fi
             # Ask for a passphrase
             if [ ${dopassphrase} -gt 0 ]; then
-                echo ""
-                echo "A password is required to access the ${cryptname} volume:"
+                # Set some vars.
+                blue='\033[1;35m'      # for the blue arch color
+                white='\033[0;34m'     # white!
+                reset='\033[0m'                # restore color to default
+                clear='\033[H\033[2J'  # clears the terminal BEFORE output

-                #loop until we get a real password
+                # Print a nice message and ask for the passphrase.
+                echo "$clear                                                                                 "
+                echo "$blue                    __     $white                                                 "
+                echo "$blue  ___ __ __ __ ____|  |___ $white                                                 "
+                echo "$blue | __'  |  '__| ___|  '   |$white  There won't be any Core Dump files to read on  "
+                echo "$blue |___,__|__|  |____|__||__|$white  this volume unless you know the passphrase.    "
+                echo "$blue  ------------------------ $white                                                 "
+                echo "$reset                                                                                 "
+                echo "                                                                                       "
+                echo " A passphrase is required to access the ${cryptname} volume:\033[37;40m                "
+
+                # Loop until we get a real password
                 while ! eval /bin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
                     sleep 2;
                 done

And a little script for autoinstalling, this is dangerous, make sure to have a working fallback image!
Cut and paste into a empty file, chmod +x, and ./execute as root AT YOUR OWN RISK.

#!/bin/bash
if [ `pacman -Qi cryptsetup |grep Version |awk '{ print $3 }'` == "1.0.5-5" ]
then
   cp /lib/initcpio/hooks/encrypt /lib/initcpio/hooks/encrypt.bak
   wget http://timtux.net/tmp/cryptsetup-1.0.5-fixpwprompt.diff
   patch -p1 /lib/initcpio/hooks/encrypt cryptsetup-1.0.5-fixpwprompt.diff
   mkinitcpio -p kernel26
fi

Last edited by timtux (2008-01-28 17:43:39)

Ibex · 2008-01-28 20:44:32

Your fix seems to work, but unfortunately, the same problem occurs. The nice arch-ascii text shows up, but half a second later, some usb-messages appears below... The "security through obscurity" is maybe right, but it looks too messy for me. Does someone else have an idea?

timtux · 2008-01-28 20:53:50

How many seconds does it take for em to "complete"? Could put a sleep X; after the "if [ ${dopassphrase} -gt 0 ]; then" where X is the second it takes for em to complete + 2sec or something

Last edited by timtux (2008-01-28 21:59:28)

Ibex · 2008-02-07 19:08:48

That was indeed the solution I used. A sleep 2 was perfect for me.

In meantime, I've changed some items in the mkinicpio.conf and I figured out that the all usb-messages were showing up because the system was told to by the usb-hook in the mkinicpio.conf. Since I don't have to boot from an usb device, I left out the usb-hook. All usb-related-flood is gone now, so I could remove the "sleep 2" from the encrypt-hook.

Arch Linux

#1 2007-11-28 17:43:10

LUKS password prompt; suspend

#2 2007-12-02 23:34:00

Re: LUKS password prompt; suspend

#3 2008-01-28 15:14:23

Re: LUKS password prompt; suspend

#4 2008-01-28 15:32:13

Re: LUKS password prompt; suspend

#5 2008-01-28 17:42:16

Re: LUKS password prompt; suspend

#6 2008-01-28 20:44:32

Re: LUKS password prompt; suspend

#7 2008-01-28 20:53:50

Re: LUKS password prompt; suspend

#8 2008-02-07 19:08:48

Re: LUKS password prompt; suspend

Board footer