diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2018-03-05 10:02:39 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-03-05 10:02:39 +0000 |
commit | 17ba8bb3e0beeb29aa190a3fec4eea2626d5d347 (patch) | |
tree | 49531a15a9122a1c2ac146111d4dde51e8538f33 | |
parent | eb57fe69dc6781998fd499834cd63f0bc7f9b347 (diff) | |
parent | b8a85fccd9db8f0fd9ac555605c728ca731b788e (diff) | |
download | nixlib-17ba8bb3e0beeb29aa190a3fec4eea2626d5d347.tar nixlib-17ba8bb3e0beeb29aa190a3fec4eea2626d5d347.tar.gz nixlib-17ba8bb3e0beeb29aa190a3fec4eea2626d5d347.tar.bz2 nixlib-17ba8bb3e0beeb29aa190a3fec4eea2626d5d347.tar.lz nixlib-17ba8bb3e0beeb29aa190a3fec4eea2626d5d347.tar.xz nixlib-17ba8bb3e0beeb29aa190a3fec4eea2626d5d347.tar.zst nixlib-17ba8bb3e0beeb29aa190a3fec4eea2626d5d347.zip |
Merge pull request #30416 from symphorien/luksnokey
nixos/luksroot.nix: fallback to interactive password entry when no keyfile found
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 8b390e1b60c4..54dfb53fd30f 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallbackToPassword, ... }: assert name' == name; '' # Wait for a target (e.g. device, keyFile, header, ...) to appear. wait_target() { @@ -43,8 +43,17 @@ let open_normally() { echo luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \ ${optionalString (header != null) "--header=${header}"} \ - ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \ > /.luksopen_args + ${optionalString (keyFile != null) '' + ${optionalString fallbackToPassword "if [ -e ${keyFile} ]; then"} + echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \ + >> /.luksopen_args + ${optionalString fallbackToPassword '' + else + echo "keyfile ${keyFile} not found -- fallback to interactive unlocking" + fi + ''} + ''} cryptsetup-askpass rm /.luksopen_args } @@ -324,6 +333,16 @@ in ''; }; + fallbackToPassword = mkOption { + default = false; + type = types.bool; + description = '' + Whether to fallback to interactive passphrase prompt if the keyfile + cannot be found. This will prevent unattended boot should the keyfile + go missing. + ''; + }; + yubikey = mkOption { default = null; description = '' |