Unlocking several crypto discs during boot

Sun Oct 15 07:03:27 UTC 2017

Am Sonntag, 15. Oktober 2017, 01:30:16 CEST schrieb Xen:
> > This way, we could also unite several hard disks for the root-LV. I 
> > wasn't
> > able to use both of my harddisks, when I installed Kubuntu 16.04.
> 
> You mean if you put a stripe raid there or something.
> 
> Yes that's easily done.

Yes, I've set up RAID, using LVM, in the Debian system which I had before I 
switched to Kubuntu.

> I don't think I have a real objection to your idea.

Good. :-) 

Would you happen to be one of the developers, which look after these boot 
process matters?

> I don't like it much without configuration but I guess most people would 
> want it by default.
> 
> I would prefer an option in /etc/crypttab that would say something like 
> "reuse" but I thought something like that already existed...
> 
> But that's not the case. You would have to work with the FreeDesktop 
> people and SystemD at present
> 
> to propose something (or a developer would).
> 
> https://www.freedesktop.org/software/systemd/man/crypttab.html
> 
> Unfortunately they really removed keyscript support.
> 
> 
> 
> I am not intimate about how normally the askpass thing is called or 
> returns its value.
> 
> In principle you could write a keyscript that calls some ask password 
> thing, writes down the password in a /run/ file.
> 
> Then when the keyscript is called again for the other volume, it reads 
> the password from disk and doesn't need to ask it.
> 
> This happens in 16.04 before systemd is involved, so it will work just 
> fine in 16.04 likely.
> 
> #!/bin/sh
> 
> [ -d /run/cryptsetup ] || /bin/mkdir /run/cryptsetup
> 
> [ -e /run/cryptsetup/rootpw ] &&
>      /bin/cat /run/cryptsetup/rootpw || {
>      pw=$(/bin/askpass)
>      printf "%s" "$pw" | /bin/tee /run/cryptsetup/rootpw
> }
> 
> --------------------
> 
> At that point you have what is needed.
> 
> You would need to copy mkdir cat and tee into the initramfs using a 
> hook.
> 
> And know how to use the existing askpass thing.
> 
> So in fact if done right you can have your solution with nothing more 
> than 2 files.
> 
> - keyscript
> - /etc/initramfs-tools/hooks/copy_binaries
> 
> http://manpages.ubuntu.com/manpages/zesty/man8/initramfs-tools.8.html 
> (search for copy_exec)
> 
> 
> #!/bin/sh
> 
> . /usr/share/initramfs-tools/hook-functions
> 
> copy_exec /bin/mkdir /bin
> copy_exec /usr/bin/tee /bin
> copy_exec /bin/cat /bin
> 
> 
> 
> Or something like that.

Uhh, okay. But I'm not going to dig into the boot process details for now. 
I'll just live with having to enter the password twice. And wait for my idea 
to get implemented. :-)

Bye
Volker