In initramfs, do not prompt if keylocation is "file://"

If the encryption key is stored in a file, the initramfs should not prompt for the password. For example, this could be the case if the boot partition is stored on removable media that is only present at boot time Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Garrett Fields <ghfields@gmail.com> Reviewed-by: Richard Laager <rlaager@wiktel.com> Reviewed-by: Kjeld Schouten <kjeld@schouten-lebbing.nl> Signed-off-by: Sam Lunt <samuel.j.lunt@gmail.com> Closes #9764
2019-12-26 12:55:20 -06:00 · 2019-12-26 12:55:20 -06:00 · ad353e2147
commit ad353e2147
parent 8cda5c5ce9
2 changed files with 20 additions and 7 deletions
--- a/contrib/dracut/90zfs/zfs-load-key.sh.in
+++ b/contrib/dracut/90zfs/zfs-load-key.sh.in
@ -37,15 +37,22 @@ fi
 if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{print $1}'))" = 'active' ]; then
    # if the root dataset has encryption enabled
    ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
+    # where the key is stored (in a file or loaded via prompt)
+    KEYLOCATION=$(${ZFS} get -H -o value keylocation "${ENCRYPTIONROOT}")
    if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
        KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
        # continue only if the key needs to be loaded
        [ "$KEYSTATUS" = "unavailable" ] || exit 0
-        # decrypt them
-        TRY_COUNT=5
-        while [ $TRY_COUNT -gt 0 ]; do
-            systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break
-            TRY_COUNT=$((TRY_COUNT - 1))
-        done
+        # if key is stored in a file, do not prompt
+        if ! [ "${KEYLOCATION}" = "prompt" ]; then
+            zfs load-key "${ENCRYPTIONROOT}"
+        else
+            # decrypt them
+            TRY_COUNT=5
+            while [ $TRY_COUNT -gt 0 ]; do
+                systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break
+                TRY_COUNT=$((TRY_COUNT - 1))
+            done
+        fi
    fi
 fi
--- a/contrib/initramfs/scripts/zfs.in
+++ b/contrib/initramfs/scripts/zfs.in
@ -411,6 +411,7 @@ decrypt_fs()

 		# Determine dataset that holds key for root dataset
 		ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)"
+		KEYLOCATION="$(get_fs_value "${ENCRYPTIONROOT}" keylocation)"

 		# If root dataset is encrypted...
 		if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
@ -418,8 +419,13 @@ decrypt_fs()
 			# Continue only if the key needs to be loaded
 			[ "$KEYSTATUS" = "unavailable" ] || return 0
 			TRY_COUNT=3
+
+			# If key is stored in a file, do not prompt
+			if ! [ "${KEYLOCATION}" = "prompt" ]; then
+				$ZFS load-key "${ENCRYPTIONROOT}"
+
 			# Prompt with plymouth, if active
-			if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
+			elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
 				while [ $TRY_COUNT -gt 0 ]; do
 					plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
 						$ZFS load-key "${ENCRYPTIONROOT}" && break