Hello Lennart. Thanks for your response. I did not express myself correctly.
On Thu, Jun 6, 2024 at 7:05 PM Lennart Poettering <lennart@xxxxxxxxxxxxxx> wrote:
On Mi, 05.06.24 15:36, Sergio Arroutbi (sarroutb@xxxxxxxxxx) wrote:
> Hello. I have tried with headless=yes. The issue with this is that
> systemd-cryptsetup ends, so I can not provide the password for decryption
> through socket provided in /run/systemd/ask-password/sck.numbers
>
> I miss an option where systemd-cryptsetup is executed headless, but
> continues running, without exiting.
>
> I have tried with keyfile=/dev/urandom and option=keyfile-size=600000, but
> it is too quick. I also tried try-empty-password, but this is tried only
> once.
>
> I am running out of ideas.
Hmm, I am not sure I follow? So do you or do you not want cryptsetup
ask for passwrds via the ask-password agent stuff?
We are developing a PKCS11 plugin for Clevis (https://github.com/latchset/clevis). Clevis allows automatic boot encrypted disks unlocking by storing some information into LUKS metadata.
To do so, it is executed in parallel to systemd-cryptsetup and, while the password is prompted to the user (and the agent runs), Clevis provides the key
by writing to the systemd-cryptsetup ask-password socket.
I initially thought you don't, but now you do?
Let me explain myself. What we want now is to disable systemd-cryptenroll password prompt at boot, (as our software already asks for the PKCS11 PIN), and provide the password as we are doing now,
by using the socket provided through the agent system. We just want systemd-cryptenroll to not ask for a password in the boot console. I don´t know if there is an option to disable it,
as using "headless" makes our software not able to communicate the PIN to systemd-cryptenroll. I have tried using a "fake" keyfile (/dev/urandom) in crypttab with the highest possible length,
but systemd-cryptenroll ends. I have also tried other crypttab options (such as retries, other timeouts, etc.), with no luck.
Ideally, a mechanism to make systemd-cryptsetup to be waiting for the password through the agent (and not the console) would be enough.
Or do you want to filter stuff, i.e. that
systemd-ask-password-agent-tty only does its thing if asked for some
passwords, but not for others?
According to api-password.h, (systemd/src/shared/) you can provide different options:
ASK_PASSWORD_ACCEPT_CACHED = 1 << 0, /* read from kernel keyring */
...
ASK_PASSWORD_NO_TTY = 1 << 4, /* never ask for password on tty */
ASK_PASSWORD_ACCEPT_CACHED = 1 << 0, /* read from kernel keyring */
...
ASK_PASSWORD_NO_TTY = 1 << 4, /* never ask for password on tty */
...
ASK_PASSWORD_HEADLESS = 1 << 9, /* headless mode: never query interactively */
ASK_PASSWORD_HEADLESS = 1 << 9, /* headless mode: never query interactively */
So, using headless mode in crypttab should be the way, but it makes systemd-cryptsetup to exit, and we can not inject the password.
if that's what you want, let's take a step back, what are you actually
trying to do? Can you describe your scenario better?
I hope the previous description helps.
Lennart
--
Lennart Poettering, Berlin
Thank you very much
