[RFC] Add support for systemd initcpio setups

[fuhry]

Significant rewrite/expansion of the scencrypt hook to allow it to work with systemd-based initcpios.

Instead of replacing the systemd-cryptsetup flow, this method piggybacks on it by using a generator to add dependencies and overrides for systemd-cryptsetup disk targets, as follows:

• systemd-initramfs-gpg-init.service initializes the GPG homedir inside the initramfs by importing all of the public keys which were packed into the initramfs.
• [email protected] gets the passphrase or PIN from systemd-ask-password and passes it to gpg, which stores the keyfile at a known location (based on the key's filename).
• [email protected] copies the key from the decrypted location to the /run/cryptsetup-keys.d directory where it is automatically picked up by systemd-cryptsetup and used to decrypt the disk.

Because it uses systemd-ask-password, this means you can even use plymouth!

Demo video running in a virtual machine with a real Yubikey passed through on USB: https://fuhry.com/b/initramfs-scencrypt-systemd-demo.webm

This does break backward compatibility with version 1.x, because there is no way to make systemd-cryptsetup work when the key-file column (column 3) of crypttab points to a file. It has to be set to none and the pgp keyfile must be passed in an option instead. A migration script (aptly named scencrypt-migrate) is included which mostly automates the process of modifying crypttab.

[fossdd]

Hey, did you maybe forget to include the scencrypt-migrate file?

[fuhry]

Hi @fossdd, sorry about that, I've pushed it now. Thanks for flagging!