Skip to content

[RFC] Add support for systemd initcpio setups#25

Open
fuhry wants to merge 5 commits into
masterfrom
feature/systemd
Open

[RFC] Add support for systemd initcpio setups#25
fuhry wants to merge 5 commits into
masterfrom
feature/systemd

Conversation

@fuhry

@fuhry fuhry commented Sep 12, 2023

Copy link
Copy Markdown
Owner

Significant rewrite/expansion of the scencrypt hook to allow it to work with systemd-based initcpios.

Instead of replacing the systemd-cryptsetup flow, this method piggybacks on it by using a generator to add dependencies and overrides for systemd-cryptsetup disk targets, as follows:

  • systemd-initramfs-gpg-init.service initializes the GPG homedir inside the initramfs by importing all of the public keys which were packed into the initramfs.
  • systemd-gpg-decrypt@.service gets the passphrase or PIN from systemd-ask-password and passes it to gpg, which stores the keyfile at a known location (based on the key's filename).
  • systemd-cryptsetup-pgp-keyfile@.service copies the key from the decrypted location to the /run/cryptsetup-keys.d directory where it is automatically picked up by systemd-cryptsetup and used to decrypt the disk.

Because it uses systemd-ask-password, this means you can even use plymouth!

Demo video running in a virtual machine with a real Yubikey passed through on USB: https://fuhry.com/b/initramfs-scencrypt-systemd-demo.webm

This does break backward compatibility with version 1.x, because there is no way to make systemd-cryptsetup work when the key-file column (column 3) of crypttab points to a file. It has to be set to none and the pgp keyfile must be passed in an option instead. A migration script (aptly named scencrypt-migrate) is included which mostly automates the process of modifying crypttab.

fuhry added 4 commits April 26, 2023 21:32
NOT WORKING ON SYSTEMD 253 AND ABOVE.
NOT VERIFIED TO BE COMPATIBLE WITH EXISTING CRYPTTABS.

In its current state, this crashes systemd-253 and above with the error message "Failed to start up manager" during early boot, which halts startup.

Support for systemd also requires the pgp keyfile to be specified as `pgp-keyfile=...` as an option in the crypttab entry, instead of in the keyfile column. (Otherwise, systemd-decrypt will try to load it as an ordinary keyfile.)

Documentation and migration tools will be updated once this gets closer to release quality.
@fossdd

fossdd commented Jan 4, 2024

Copy link
Copy Markdown

Hey, did you maybe forget to include the scencrypt-migrate file?

@fuhry

fuhry commented Jan 8, 2024

Copy link
Copy Markdown
Owner Author

Hi @fossdd, sorry about that, I've pushed it now. Thanks for flagging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants