Ubuntu
cryptsetup package

cryptsetup: [patch] fix remote unlock of encrypted root when plymouth is installed

Asked by Maddes on 2015-03-25

Dear Maintainer,

The cryptroot script always uses plymouth if present (plymouth is
installed by default on Ubuntu).
Unfortunately this prevents to unlock an encrypted root from console
(e.g. via SSH).
Attached is a patch based on 14.04 LTS with a solution to this issue.

Changes in /usr/share/initramfs-tools/scripts/local-top/cryptroot
- new parameter "noplymouth": possible to use during boot time to avoid
usage of plymouth even if present
- kill all processes which ask for the password after encrypted root is
available

New file /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh
- creates /bin/unlock script in initramfs to define correct PATH and
call cryptroot script with correct parameter
- creates /etc/motd file in initramfs to inform user about unlock script

Question information

Language:: English Edit question

Status:: Solved

For:: Ubuntu cryptsetup Edit question

Assignee:: No assignee Edit question

Solved by:: actionparsnip

Solved:: 2015-03-26

Last query:: 2015-03-26

Last reply:: 2015-03-25

Revision history for this message

Maddes (maddes.b) said on 2015-03-25:

+NOPLYMOUTH=0
+
case $1 in
prereqs)
  prereqs
  exit 0
  ;;
+noplymouth)
+ NOPLYMOUTH=1
esac

# source for log_*_msg() functions, see LP: #272301
@@ -31,7 +35,7 @@ esac
#
message()
{
- if [ -x /bin/plymouth ] && plymouth --ping; then
+ if [ "${NOPLYMOUTH}" -eq 0 -a -x /bin/plymouth ] && plymouth --ping; then
   plymouth message --text="$@"
  else
   echo "$@" >&2
@@ -249,7 +253,7 @@ setup_mapping()

   if [ -z "$cryptkeyscript" ]; then
    cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
- if [ -x /bin/plymouth ] && plymouth --ping; then
+ if [ "${NOPLYMOUTH}" -eq 0 -a -x /bin/plymouth ] && plymouth --ping; then
     cryptkeyscript="plymouth ask-for-password --prompt"
     cryptkey=$(printf "$cryptkey")
    else
@@ -271,6 +275,12 @@ setup_mapping()
    return 1
   fi

+ # Kill all remaining processes that ask for the password
+ for PID in $(ps | grep -e '/lib/cryptsetup/askpass' -e 'plymouth.*ask-for-password' | sed -n -e '/grep/! { s#[[:space:]]*$[0-9]\+$[[:space:]]*.*#\1#p ; }')
+ do
+ kill -9 "${PID}"
+ done
+
   #FSTYPE=''
   #eval $(fstype < "$NEWROOT")
   FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")"
--- /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh 2014-12-28 22:16:37.909586616 +0100
+++ /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh 2015-03-11 22:33:41.000000000 +0100
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+#
+# This InitRAMFS hook provides:
+# Simple script to easily unlock LUKS encrypted root partition from remote (SSH, Telnet)
+# Intended for Debian 6.0 Squeeze
+#
+# Copyright: Matthias Bücher, see http://www.maddes.net/
+# License: GNU GPL v2 or later, see http://www.gnu.org/licenses/gpl.html
+#
+# Adopted from http://www.howtoforge.com/unlock-a-luks-encrypted-root-partition-via-ssh-on-ubuntu#comment-25990
+#
+# Thanks to:
+# - Wulf Coulmann; http://gpl.coulmann.de/ssh_luks_unlock.html
+# for his tremendeous effort to unlock LUKS root parititon remotely on Debian 5.0 Lenny and before
+#
+# History:
+# v1.0 - 2011-02-15
+# initial release
+# v1.1 - 2011-03-29
+# fixed some typos
+# (also thanks to Sven Greuer)
+#
+
+PREREQ=""
+
+prereqs()
+{
+ echo "${PREREQ}"
+}
+
+case "${1}" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+#
+# Begin real processing
+#
+
+SCRIPTNAME=unlock
+
+# 1) Create script to unlock luks partitions
+cat > ${DESTDIR}/bin/${SCRIPTNAME} << '__EOF'
+#!/bin/sh
+PATH='/sbin:/bin'
+/scripts/local-top/cryptroot noplymouth
+__EOF
+chmod 700 ${DESTDIR}/bin/${SCRIPTNAME}
+
+
+# 2) Enhance Message Of The Day (MOTD) with info how to unlock luks partition
+cat >> ${DESTDIR}/etc/motd << __EOF
+
+To unlock root partition, and maybe others like swap, run "${SCRIPTNAME}"
+__EOF

--- /usr/share/initramfs-tools/scripts/local-top/cryptroot	2012-11-07 16:28:47.000000000 +0100
+++ /usr/share/initramfs-tools/scripts/local-top/cryptroot	2015-03-11 23:25:18.000000000 +0100
@@ -16,11 +16,15 @@ prereqs()
 	done
 }
 
+NOPLYMOUTH=0
+
 case $1 in
 prereqs)
 	prereqs
 	exit 0
 	;;
+noplymouth)
+	NOPLYMOUTH=1
 esac
 
 # source for log_*_msg() functions, see LP: #272301
@@ -31,7 +35,7 @@ esac
 #
 message()
 {
-	if [ -x /bin/plymouth ] && plymouth --ping; then
+	if [ "${NOPLYMOUTH}" -eq 0 -a -x /bin/plymouth ] && plymouth --ping; then
 		plymouth message --text="$@"
 	else
 		echo "$@" >&2
@@ -249,7 +253,7 @@ setup_mapping()
 
 		if [ -z "$cryptkeyscript" ]; then
 			cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
-			if [ -x /bin/plymouth ] && plymouth --ping; then
+			if [ "${NOPLYMOUTH}" -eq 0 -a -x /bin/plymouth ] && plymouth --ping; then
 				cryptkeyscript="plymouth ask-for-password --prompt"
 				cryptkey=$(printf "$cryptkey")
 			else
@@ -271,6 +275,12 @@ setup_mapping()
 			return 1
 		fi
 
+		# Kill all remaining processes that ask for the password
+		for PID in $(ps | grep -e '/lib/cryptsetup/askpass' -e 'plymouth.*ask-for-password' | sed -n -e '/grep/! { s#[[:space:]]*$[0-9]\+$[[:space:]]*.*#\1#p ; }')
+		 do
+			kill -9 "${PID}"
+		done
+
 		#FSTYPE=''
 		#eval $(fstype < "$NEWROOT")
 		FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")"
--- /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh	2014-12-28 22:16:37.909586616 +0100
+++ /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh	2015-03-11 22:33:41.000000000 +0100
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+#
+# This InitRAMFS hook provides:
+# Simple script to easily unlock LUKS encrypted root partition from remote (SSH, Telnet)
+# Intended for Debian 6.0 Squeeze
+#
+# Copyright: Matthias Bücher, see http://www.maddes.net/
+# License: GNU GPL v2 or later, see http://www.gnu.org/licenses/gpl.html
+#
+# Adopted from http://www.howtoforge.com/unlock-a-luks-encrypted-root-partition-via-ssh-on-ubuntu#comment-25990
+#
+# Thanks to:
+# - Wulf Coulmann; http://gpl.coulmann.de/ssh_luks_unlock.html
+#   for his tremendeous effort to unlock LUKS root parititon remotely on Debian 5.0 Lenny and before
+#
+# History:
+# v1.0 - 2011-02-15
+#  initial release
+# v1.1 - 2011-03-29
+#  fixed some typos
+#  (also thanks to Sven Greuer)
+#
+
+PREREQ=""
+
+prereqs()
+{
+	echo "${PREREQ}"
+}
+
+case "${1}" in
+ prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+#
+# Begin real processing
+#
+
+SCRIPTNAME=unlock
+
+# 1) Create script to unlock luks partitions
+cat > ${DESTDIR}/bin/${SCRIPTNAME} << '__EOF'
+#!/bin/sh
+PATH='/sbin:/bin'
+/scripts/local-top/cryptroot noplymouth
+__EOF
+chmod 700 ${DESTDIR}/bin/${SCRIPTNAME}
+
+
+# 2) Enhance Message Of The Day (MOTD) with info how to unlock luks partition
+cat >> ${DESTDIR}/etc/motd << __EOF
+
+To unlock root partition, and maybe others like swap, run "${SCRIPTNAME}"
+__EOF

Revision history for this message

actionparsnip (andrew-woodhead666) said on 2015-03-25:

I suggest you report a bug

Revision history for this message

Maddes (maddes.b) said on 2015-03-26:

Thanks actionparsnip, that solved my question.

To post a message you must log in.

Ask a question

Edit question

Ubuntucryptsetup package

cryptsetup: [patch] fix remote unlock of encrypted root when plymouth is installed

Question information

Related bugs

Related FAQ:

Subscribers

Ubuntu
cryptsetup package