booster icon indicating copy to clipboard operation
booster copied to clipboard
verified publisher icon anatol

ISSUE-37: Allow luks unlocking via keyfile specified in kernel parameters with rd.luks.key

Open jacobmyers-codeninja opened this issue 3 years ago • 1 comments

For #37: Add support to allow unlocking a luks volume by keyfile, reworked the luks mappings a little to allow more complex patterns of parsing parameters and building mappings.

This slightly tweaks creating luksMapping lists so they can occur multiple times in the kernel parameter list and it just updates the relevant properties for each mapping (to allow extending even further if desired).

  • updated luksMapping type to hold a keyfile
  • add a luksMapping findOrCreate function in luks.go, either finds the existing mapping by UUID or adds one
  • update the rd.luks.uuid and rd.luks.name in cmdline.go to make use of findOrCreate
  • adds rd.luks.key with the format UUID=keyfile which should point to a file in initramfs containing the password
  • adds recoverKeyfilePassword go routine which attempts to read the password from the keyfile and unlock the device, falling back to running the requestKeyboardPassword option if that fails
  • update luksOpen to call recoverKeyfilePassword if a keyfile is defined on the mapping

Putting this forward more as an idea for the approach, not sure how good or bad the specific way I implemented it is.

jacobmyers-codeninja avatar Jul 17 '22 03:07 jacobmyers-codeninja

Okay, the change looks fine. A few minor things to do - document the new param, and refactor findOrCreateLuksMapping to make it more readable.

anatol avatar Jul 20 '22 22:07 anatol

Got pulled away on a business trip so didn't have a chance to finish cleaning this up. I agree that the actual read from external is a whole job on its own, I just wanted the placeholder for a future request to make easy integration work of it.

I have updated the docs and merged back in the new changes.

jacobmyers-codeninja avatar Aug 06 '22 22:08 jacobmyers-codeninja

@jacobmyers-codeninja I squashed your commits and cleaned up a bit. Please review it and then I'll move forward with merging it to the repo.

anatol avatar Aug 13 '22 22:08 anatol

Thank you for your work!

I landed the changes wip branch so I can test it at my machines before pushing it to master.

anatol avatar Aug 14 '22 02:08 anatol

Thank you for your work!

I landed the changes wip branch so I can test it at my machines before pushing it to master.

Absolutely, let me know if you run into anything too. I will do my best to make sure it's good. I have a few machines here in different states I can test more with besides the one I was using to write it.

jacobmyers-codeninja avatar Aug 14 '22 02:08 jacobmyers-codeninja