[dm-crypt] Fwd: Detect successful passphrase entry for dmcrypt +LUKS from initramfs busybox prompt

Dominic Raferd dominic at timedicer.co.uk
Sat Apr 22 12:22:29 CEST 2017


On 21 April 2017 at 20:16, Jonas Meurer <jonas at freesources.org> wrote:

> Hi Dominic,
>
> Am 19.04.2017 um 08:39 schrieb Dominic Raferd:
> > Sorry if this is off-topic for this mailing list. I am setting up a
> > (Ubuntu 16.04) machine with dmcrypt+LUKS encrypted root system (standard
> > Debian/Ubuntu recipe) but with added capability for remote entry of the
> > passphrase (using dropbear via busybox shell). After the user has
> > entered the passphrase (and it is piped into /lib/cryptsetup/passfifo) I
> > would like an easy and preferably fast way for a local script (i.e.
> > running under busybox ash shell) to detect whether the passphrase entry
> > has been successful or not - without requiring local access or a second
> > remote login. Thanks for any help.
>
> Indeed it's slightly off-topic as initscripts and initramfs integration
> are specific to the distributions that ship/package cryptsetup.
>
> One quick idea is that you could test for existance of the
> /dev/mapper/<target> device file. If it exists, then the unlocking was
> successful.
>
> I usually logout of the system after remotely unlocking it via initramfs
> ssh session and monitor the ping in another terminal. If the ping stops
> being answered and continues a few seconds afterwards, that indicates
> that the unlock attempt was successful and I login to the booted system.
>

​Thanks Jonas for your suggestion. In the end, I came up with the script
below, partly from an idea at https://github.com/rhansen/unlock-cryptroot
 (kudos).

I needed a solution that could be run from any external fs e.g. connecting
to the initramfs using plink under Windows - i.e. that could run entirely
on the initramfs; and I needed it to be simple for a non-tech person. This
is what I now have, it is placed in the initramfs by 'update-initramfs -u
-k all' and can be run from there as /scripts/pass:

# cat /etc/initramfs-tools/scripts/pass
#!/bin/sh
# by Dominic v0.2 [22 Apr 2017]
for i in 1 2 3; do
        [ $i -gt 1 ] && echo " Failed"
        read -sp"Enter passphrase, then press ENTER/RETURN: "
        printf "$REPLY" >/lib/cryptsetup/passfifo
        for j in 1 2 3 4 5 6 7 8 9; do
                ps >/tmp/ps.txt 2>/dev/null || { DONE="y"; break; }
                grep -q "cryptroo[t]" /tmp/ps.txt || { DONE="y"; break; }
                sleep 1s; printf "."
        done
        [ "$DONE" = "y" ] && break
done
[ -z "$DONE" ] && echo " Failed, sorry." || echo " Success! Boot is
proceeding"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20170422/cb22d2d7/attachment.html>


More information about the dm-crypt mailing list