You are not logged in.

#1 2022-10-21 02:43:36

lfitzgerald
Member
Registered: 2021-07-16
Posts: 175

Enable password echo with mkinitcpio encrypt hook

The wiki says that systemd-cryptsetup has password echo enabled by default, and that the encrypt hook doesn't.

I am using the encrypt hook and would like to enable the password echo. How can I do this?

I assume rd.luks.options=password-echo=yes will not work, since I am not using systemd-cryptsetup.

Offline

#2 2022-10-21 19:47:11

makeshift_rephrase
Member
Registered: 2022-10-21
Posts: 6

Re: Enable password echo with mkinitcpio encrypt hook

You should attempt to find out whether password echo is even supported with the regular encrypt hook. I suggest using the systemd hooks since from my experience they have worked more smoothly across systems.

Offline

#3 2022-10-22 03:46:28

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,178

Re: Enable password echo with mkinitcpio encrypt hook

makeshift_rephrase wrote:

You should attempt to find out whether password echo is even supported with the regular encrypt hook. I suggest using the systemd hooks since from my experience they have worked more smoothly across systems.

This requires other changes, such as switching from a busybox to systemd initramfs. The standard encrypt hook should work fine across systems if you don't need the bells and whistles of systemd.

That said, I suspect the OP may be out of luck on the echo issue.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#4 2022-10-22 06:14:39

frostschutz
Member
Registered: 2013-11-15
Posts: 1,647

Re: Enable password echo with mkinitcpio encrypt hook

encrypt hook simply runs cryptsetup directly for the interactive prompt - and cryptsetup does not support echoing as far as I'm aware

so if you don't want to switch over to the existing solutions (systemd based initcpio with sd-encrypt, or perhaps plymouth-encrypt might echo it), you'd have to make a custom hook, custom prompt

rudimentary, without any retry logic or anything:

pass=''
word=''
prompt="Password: "

while IFS= read -r -s -p "${prompt}" -n 1 word
do
    [ "${word}" = "" ] && echo && break
    prompt="*"
    pass="${pass}${word}"
done

printf "%s" "$pass" | cryptsetup open ...

Offline

#5 2022-10-22 18:55:27

lfitzgerald
Member
Registered: 2021-07-16
Posts: 175

Re: Enable password echo with mkinitcpio encrypt hook

makeshift_rephrase wrote:

You should attempt to find out whether password echo is even supported with the regular encrypt hook.

Indeed. This thread is my attempt smile

makeshift_rephrase wrote:

I suggest using the systemd hooks since from my experience they have worked more smoothly across systems.

A couple years back I remember the systemd method having more caveats, so since I don't enjoy troubleshooting boot issues, I assumed the systemd hook is just not mature and decided to go with the tried and true. Are there any drawbacks to the systemd hook today?

frostschutz wrote:

encrypt hook simply runs cryptsetup directly for the interactive prompt - and cryptsetup does not support echoing as far as I'm aware

Thank you for the explanation! It's nice to have an example of a custom hook, but it sounds like switching to systemd would be easier.

Offline

#6 2022-10-22 22:26:04

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,178

Re: Enable password echo with mkinitcpio encrypt hook

You can see what the different hooks do by looking at them as they are just shell scripts in /usr/lib/initcpio/install/.

encrypt:

#!/bin/bash

build() {
    local mod

    add_module 'dm-crypt'
    add_module 'dm-integrity'
    if [[ $CRYPTO_MODULES ]]; then
        for mod in $CRYPTO_MODULES; do
            add_module "$mod"
        done
    else
        add_all_modules '/crypto/'
    fi

    add_binary 'cryptsetup'

    map add_udev_rule \
        '10-dm.rules' \
        '13-dm-disk.rules' \
        '95-dm-notify.rules' \
        '/usr/lib/initcpio/udev/11-dm-initramfs.rules'

    # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
    add_binary '/usr/lib/libgcc_s.so.1'

    add_runscript
}

help() {
    cat <<HELPEOF
This hook allows for an encrypted root device. Users should specify the device
to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
where 'device' is the path to the raw device, and 'dmname' is the name given to
the device after unlocking, and will be available as /dev/mapper/dmname.

For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
the kernel cmdline, where 'device' represents the raw block device where the key
exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
the absolute path of the keyfile within the device.

Without specifying a keyfile, you will be prompted for the password at runtime.
This means you must have a keyboard available to input it, and you may need
the keymap hook as well to ensure that the keyboard is using the layout you
expect.
HELPEOF
}

# vim: set ft=sh ts=4 sw=4 et:

sd-encrypt:

#!/bin/bash

build() {
    local mod

    add_module 'dm-crypt'
    add_module 'dm-integrity'
    if [[ $CRYPTO_MODULES ]]; then
        for mod in $CRYPTO_MODULES; do
            add_module "$mod"
        done
    else
        add_all_modules '/crypto/'
    fi
    add_checked_modules '/drivers/char/tpm/'

    map add_udev_rule \
        '10-dm.rules' \
        '13-dm-disk.rules' \
        '60-fido-id.rules' \
        '95-dm-notify.rules' \
        '/usr/lib/initcpio/udev/11-dm-initramfs.rules'

    map add_systemd_unit 'cryptsetup.target' \
        'systemd-ask-password-console.path' \
        'systemd-ask-password-console.service'
    map add_binary \
        '/usr/lib/systemd/system-generators/systemd-cryptsetup-generator' \
        '/usr/lib/systemd/systemd-cryptsetup' \
        '/usr/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so' \
        '/usr/lib/cryptsetup/libcryptsetup-token-systemd-pkcs11.so' \
        '/usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so'

    # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
    add_binary '/usr/lib/libgcc_s.so.1'

    # add libraries dlopen()ed by systemd-cryptsetup
    for LIB in fido2 tss2-{{esys,rc,mu},tcti-'*'}; do
        for FILE in $(find /usr/lib/ -maxdepth 1 -name "lib${LIB}.so*"); do
            if [[ -L "${FILE}" ]]; then
                add_symlink "${FILE}"
            else
                add_binary "${FILE}"
            fi
        done
    done

    # add mkswap for creating swap space on the fly (see 'swap' in crypttab(5))
    add_binary 'mkswap'

    [[ -f /etc/crypttab.initramfs ]] && add_file '/etc/crypttab.initramfs' '/etc/crypttab'
}

help() {
    cat <<HELPEOF
This hook allows for an encrypted root device with systemd initramfs.

See the manpage of systemd-cryptsetup-generator(8) for available kernel
command line options. Alternatively, if the file /etc/crypttab.initramfs
exists, it will be added to the initramfs as /etc/crypttab. See the
crypttab(5) manpage for more information on crypttab syntax.
HELPEOF
}

# vim: set ft=sh ts=4 sw=4 et:

CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

Board footer

Powered by FluxBB