pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #30416 from symphorien/luksnokey

nixos/luksroot.nix: fallback to interactive password entry when no keyfile found

authored by

Franz Pletz and committed by
GitHub 17ba8bb3 eb57fe69

+21 -2
+21 -2
nixos/modules/system/boot/luksroot.nix
··· 5 5 let 6 6 luks = config.boot.initrd.luks; 7 7 8 - openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' 8 + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallbackToPassword, ... }: assert name' == name; '' 9 9 10 10 # Wait for a target (e.g. device, keyFile, header, ...) to appear. 11 11 wait_target() { ··· 43 43 open_normally() { 44 44 echo luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \ 45 45 ${optionalString (header != null) "--header=${header}"} \ 46 - ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \ 47 46 > /.luksopen_args 47 + ${optionalString (keyFile != null) '' 48 + ${optionalString fallbackToPassword "if [ -e ${keyFile} ]; then"} 49 + echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \ 50 + >> /.luksopen_args 51 + ${optionalString fallbackToPassword '' 52 + else 53 + echo "keyfile ${keyFile} not found -- fallback to interactive unlocking" 54 + fi 55 + ''} 56 + ''} 48 57 cryptsetup-askpass 49 58 rm /.luksopen_args 50 59 } ··· 321 330 Whether to allow TRIM requests to the underlying device. This option 322 331 has security implications; please read the LUKS documentation before 323 332 activating it. 333 + ''; 334 + }; 335 + 336 + fallbackToPassword = mkOption { 337 + default = false; 338 + type = types.bool; 339 + description = '' 340 + Whether to fallback to interactive passphrase prompt if the keyfile 341 + cannot be found. This will prevent unattended boot should the keyfile 342 + go missing. 324 343 ''; 325 344 }; 326 345