On 2017-07-01 21:11:29, Guilhem Moulin wrote: > On Sat, 01 Jul 2017 at 14:00:19 -0400, Antoine Beaupré wrote: >> Some more information. Attached is the script I originally used. > > Looks like you forgot the attachement :-P
Typical. Here's /etc/initramfs-tools/hooks/crypt_unlock.sh attached. It calls cryptroot-unlock and then runs its own extra unlocking. I haven't tested it recently so i don't remember exactly how it fails. Maybe with the dropbear change it will work correctly... A. -- Twenty years from now you will be more disappointed by the things that you didn't do than by the ones you did do. So throw off the bowlines. Sail away from the safe harbor. Catch the trade winds in your sails. Explore. Dream. Discover. - Mark Twain
#!/bin/sh # this script is designed to unlock partitions on marcos. rerun # update-initramfs -u when changing. newer cryptsetup versions (1.7.x # from stretch) may deal with this better, although by reading the # cryptroot-unlock script, it doesn't look like it. # some of this is cargo-culted from: # https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/ # and /usr/share/doc/cryptsetup/README.remote.gz # unfortunately, neither of those support multiple crypto devices: they unlock # the first one and then systemd is stuck waiting for a passphrase for the # other ones PREREQ="dropbear" # this should be autodetected EXTRA_DISK="/dev/sdb2" EXTRA_LABEL="4tb_crypt" echo "setting up crypto unlock hook with extra $EXTRA_LABEL" case "$1" in prereqs) echo $PREREQ exit 0 ;; esac . "${CONFDIR}/initramfs.conf" . /usr/share/initramfs-tools/hook-functions if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then cat > "${DESTDIR}/bin/unlock" << EOF #!/bin/sh if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot && /sbin/cryptsetup luksOpen "${EXTRA_DISK}" "${EXTRA_LABEL}"; then kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` # following line kill the remote shell right after the passphrase has # been entered. kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` exit 0 fi exit 1 EOF chmod 755 "${DESTDIR}/bin/unlock" mkdir -p "${DESTDIR}/lib/unlock" cat > "${DESTDIR}/lib/unlock/plymouth" << EOF #!/bin/sh [ "\$1" == "--ping" ] && exit 1 /bin/plymouth "\$@" EOF chmod 755 "${DESTDIR}/lib/unlock/plymouth" echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd fi
