cryptsetup: [patch] fix remote unlock of encrypted root when plymouth is installed

Asked by Maddes on 2015-03-25

Dear Maintainer,

The cryptroot script always uses plymouth if present (plymouth is
installed by default on Ubuntu).
Unfortunately this prevents to unlock an encrypted root from console
(e.g. via SSH).
Attached is a patch based on 14.04 LTS with a solution to this issue.

Changes in /usr/share/initramfs-tools/scripts/local-top/cryptroot
- new parameter "noplymouth": possible to use during boot time to avoid
usage of plymouth even if present
- kill all processes which ask for the password after encrypted root is
available

New file /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh
- creates /bin/unlock script in initramfs to define correct PATH and
call cryptroot script with correct parameter
- creates /etc/motd file in initramfs to inform user about unlock script

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu cryptsetup Edit question
Assignee:
No assignee Edit question
Solved by:
actionparsnip
Solved:
Last query:
Last reply:
Revision history for this message
Maddes (maddes.b) said :
#1

--- /usr/share/initramfs-tools/scripts/local-top/cryptroot 2012-11-07 16:28:47.000000000 +0100
+++ /usr/share/initramfs-tools/scripts/local-top/cryptroot 2015-03-11 23:25:18.000000000 +0100
@@ -16,11 +16,15 @@ prereqs()
  done
 }

+NOPLYMOUTH=0
+
 case $1 in
 prereqs)
  prereqs
  exit 0
  ;;
+noplymouth)
+ NOPLYMOUTH=1
 esac

 # source for log_*_msg() functions, see LP: #272301
@@ -31,7 +35,7 @@ esac
 #
 message()
 {
- if [ -x /bin/plymouth ] && plymouth --ping; then
+ if [ "${NOPLYMOUTH}" -eq 0 -a -x /bin/plymouth ] && plymouth --ping; then
   plymouth message --text="$@"
  else
   echo "$@" >&2
@@ -249,7 +253,7 @@ setup_mapping()

   if [ -z "$cryptkeyscript" ]; then
    cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
- if [ -x /bin/plymouth ] && plymouth --ping; then
+ if [ "${NOPLYMOUTH}" -eq 0 -a -x /bin/plymouth ] && plymouth --ping; then
     cryptkeyscript="plymouth ask-for-password --prompt"
     cryptkey=$(printf "$cryptkey")
    else
@@ -271,6 +275,12 @@ setup_mapping()
    return 1
   fi

+ # Kill all remaining processes that ask for the password
+ for PID in $(ps | grep -e '/lib/cryptsetup/askpass' -e 'plymouth.*ask-for-password' | sed -n -e '/grep/! { s#[[:space:]]*\([0-9]\+\)[[:space:]]*.*#\1#p ; }')
+ do
+ kill -9 "${PID}"
+ done
+
   #FSTYPE=''
   #eval $(fstype < "$NEWROOT")
   FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")"
--- /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh 2014-12-28 22:16:37.909586616 +0100
+++ /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh 2015-03-11 22:33:41.000000000 +0100
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+#
+# This InitRAMFS hook provides:
+# Simple script to easily unlock LUKS encrypted root partition from remote (SSH, Telnet)
+# Intended for Debian 6.0 Squeeze
+#
+# Copyright: Matthias Bücher, see http://www.maddes.net/
+# License: GNU GPL v2 or later, see http://www.gnu.org/licenses/gpl.html
+#
+# Adopted from http://www.howtoforge.com/unlock-a-luks-encrypted-root-partition-via-ssh-on-ubuntu#comment-25990
+#
+# Thanks to:
+# - Wulf Coulmann; http://gpl.coulmann.de/ssh_luks_unlock.html
+# for his tremendeous effort to unlock LUKS root parititon remotely on Debian 5.0 Lenny and before
+#
+# History:
+# v1.0 - 2011-02-15
+# initial release
+# v1.1 - 2011-03-29
+# fixed some typos
+# (also thanks to Sven Greuer)
+#
+
+PREREQ=""
+
+prereqs()
+{
+ echo "${PREREQ}"
+}
+
+case "${1}" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+#
+# Begin real processing
+#
+
+SCRIPTNAME=unlock
+
+# 1) Create script to unlock luks partitions
+cat > ${DESTDIR}/bin/${SCRIPTNAME} << '__EOF'
+#!/bin/sh
+PATH='/sbin:/bin'
+/scripts/local-top/cryptroot noplymouth
+__EOF
+chmod 700 ${DESTDIR}/bin/${SCRIPTNAME}
+
+
+# 2) Enhance Message Of The Day (MOTD) with info how to unlock luks partition
+cat >> ${DESTDIR}/etc/motd << __EOF
+
+To unlock root partition, and maybe others like swap, run "${SCRIPTNAME}"
+__EOF

Revision history for this message
Best actionparsnip (andrew-woodhead666) said :
#2

I suggest you report a bug

Revision history for this message
Maddes (maddes.b) said :
#3

Thanks actionparsnip, that solved my question.