public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #30416 from symphorien/luksnokey

Browse Source 
nixos/luksroot.nix: fallback to interactive password entry when no keyfile found
This commit is contained in:
Franz Pletz 2018-03-05 10:02:39 +00:00 committed by GitHub
commit 17ba8bb3e0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nixos/modules/system/boot/luksroot.nix
View File

@ -5,7 +5,7 @@ with lib;
let let
luks = config.boot.initrd.luks; luks = config.boot.initrd.luks;
openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallbackToPassword, ... }: assert name' == name; ''
# Wait for a target (e.g. device, keyFile, header, ...) to appear. # Wait for a target (e.g. device, keyFile, header, ...) to appear.
wait_target() { wait_target() {
@ -43,8 +43,17 @@ let
open_normally() { open_normally() {
echo luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \ echo luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \
${optionalString (header != null) "--header=${header}"} \ ${optionalString (header != null) "--header=${header}"} \
${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \
> /.luksopen_args > /.luksopen_args
${optionalString (keyFile != null) ''
${optionalString fallbackToPassword "if [ -e ${keyFile} ]; then"}
echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \
>> /.luksopen_args
${optionalString fallbackToPassword ''
else
echo "keyfile ${keyFile} not found -- fallback to interactive unlocking"
fi
''}
''}
cryptsetup-askpass cryptsetup-askpass
rm /.luksopen_args rm /.luksopen_args
} }
@ -324,6 +333,16 @@ in
''; '';
}; };
fallbackToPassword = mkOption {
default = false;
type = types.bool;
description = ''
Whether to fallback to interactive passphrase prompt if the keyfile
cannot be found. This will prevent unattended boot should the keyfile
go missing.
'';
};
yubikey = mkOption { yubikey = mkOption {
default = null; default = null;
description = '' description = ''