Package: cryptsetup
Version: 2:1.4.3-4
Severity: wishlist
When booting a Linux system with initramfs and an encrypted root
filesystem, the initramfs first detects all block devices and then reads
the pass phrase for the device. Both steps take noticeable time in the
boot process and therefore pose an option for optimization.
I am proposing to read the first pass phrase as early as possible. The
idea is to add a script (attached) to init-top (i.e. the earliest point
to hook into initramfs-tools) that opens a new virtual terminal and asks
for a pass phrase there. In the mean time device detection continues.
Once control is passed over to cryptsetup it first tries the pass phrase
read earlier and then falls back to the current logic. Multiple pass
phrase entry may be necessary either due to the user inputting a wrong
pass phrase or due to multiple devices needing to be unlocked.
A big downside here is that the new prompt cannot tell which device is
about to be unlocked. So this method would only be useful when there is
exactly one device to be unlocked.
The attached script is to be dropped in scripts/init-top and set to be
executable. It may be necessary to list keymap in prereqs to get the
correct keyboard layout. The script then forks itself into new
foreground virtual terminal and uses the usual askpass utility to
retrieve the pass phrase from the user. Device detection is to continue
in the background. The pass phrase is stored in a temporary file in
/run. Once read the virtual terminal is switched back to the main one,
so the user can see boot messages again. Then it is copied to a fifo and
the temporary file is deleted. To use this pass phrase the cryptroot
script should replace its invocation of askpass with a more complex
action. It should check whether the fifo exists and if that is the case,
read and delete it. Otherwise fall back to invoking askpass as usual.
The method explained basically works (in qemu), but needs some more
refinement before it can be shipped by the cryptsetup package. Some kind
of detection about when to ask for a pass phrase is yet missing, so the
script would somewhat break systems without encrypted root filesystem.
It cannot be used with plymouth either and should be deactivated when a
plymouth environment is detected.
What do you think about such a method?
I cannot yet tell how this idea interferes with #678696. It might make
sense to wait for its completion.
Helmut
#!/bin/sh
PASSFIFO=/run/cryptsetup-firstpass
PASSTMP=/run/cryptsetup-firstpass.tmp
# Processing credentials with files, some of which may show up in the booted
# system. Better be careful.
umask 077
case "$1" in
prereqs)
echo "" # no prereqs
exit 0
;;
readpass)
/lib/cryptsetup/askpass "Unlocking first crypto device:\nEnter
passphrase: " > "$PASSTMP"
# Switch to standard vt so boot messages become visible again.
chvt 1
cat "$PASSTMP" > "$PASSFIFO"
rm -f "$PASSTMP"
# Removing $PASSFIFO is the responsibility of the reader.
exit 0
;;
*)
mkfifo "$PASSFIFO"
# Reexecuting myself on a different vt and switching to that vt.
openvt -s -- "$0" readpass
exit 0
;;
esac
