unlocking encfs during boot (Re: systemd now appears to be only possible init system in testing)

Mon Jul 28 15:53:36 BST 2014

Hi,

Am 28.07.2014 01:54, schrieb Christian Hofstaedtler:
> * Michael Biebl <biebl at debian.org> [140727 23:09]:
>> Am 22.07.2014 23:54, schrieb Julian Gilbey:
>>> For me, this is a killer, as I still do not know how to solve the
>>> problem I asked a while back on debian-user
>>> (https://lists.debian.org/debian-user/2014/04/msg01286.html): in
>>> summary, I need to unlock an encrypted filesystem during boot time by
>>> asking for a password to feed into encfs.  But I cannot figure out how
>>> to do this under systemd.
>>>
>>> Answers to this question would also be much appreciated!
>>
>> Julian, do you still need help with that?
>> I've just cobbled together a short unlock.service file which seems to
>> work reasonable fine and which I can share with you.
> 
> I'd love to see that file.

Here we go:

------8<-----------
[Unit]
Description=Unlock EncFS
DefaultDependencies=no
After=local-fs.target
Before=display-manager.service getty at tty1.service

[Service]
Type=oneshot
RemainAfterExit=true
Environment=RootDir=/home/.encfs/crypt
Environment=MountPoint=/home/crypt
ExecStart=/bin/sh -c "systemd-ask-password --no-tty --timeout=30 'Unlock
EncFS' | encfs --stdinpass $RootDir $MountPoint"
ExecStop=/bin/umount $MountPoint

[Install]
WantedBy=sysinit.target
------>8-----------

(The ExecStart= needs to be a single line, I hope it's not messed up by
my mailer)

I've installed that as /etc/systemd/system/unlock.service, then ran
"systemctl enable unlock.service"

A few remarks:

- I hook that service up in sysinit.target, which is similar to rcS in
sysvinit since that is what Julian was using in his original SysV init
script
Services which run that early should usually use DefaultDependencies=no
and specificy their requirements explicitly (that's what the
After=local-fs.target is for)

- I used Type=oneshot, as I'm only interested in the unlock process and
not in tracking the encfs process.

- The usage of Environment= is entirely optional, but makes it a bit
more readable

- The ExecStop= is not strictly required, but simply a nice touch.

- Querying input on a non sequential system (like systemd) is not
trivial. I therefore recommend the usage of plymouth. Don't consider it
as only a shiny bootsplash, but rather an I/O multi-plexer [1]. If you
insist on not using plymouth, make at least sure, to booth with "quiet"
enabled, otherwise your unlock prompt will be overwritten by the boot
messages.
Let me repeat: for such case, I really recommend to use plymouth!

- The Before=display-manager.service getty at tty1.service line makes sure,
your plymouth (or console) prompt is not interfered by the getty on tty1
or X/your display manager.
Not all display managers already setup the display-manager.service
symlink properly (gdm3 in unstable and lightdm, do).
So you might need to change that to list the actual service name say you
use xdm:
Before=xdm.service ...

systemd-ask-password is clever enough to automatically use plymouth when
available or falls back to the tty agent otherwise.

If you have further questions, just ask.

Cheers,
Michael

[1] http://web.dodds.net/~vorlon/wiki/blog/Plymouth_is_not_a_bootsplash/
(currently not reachable, you might use the google cache)

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20140728/d186fe0a/attachment-0002.sig>