diff options
author | Nikolay Amiantov <ab@fmap.me> | 2015-10-18 13:50:36 +0300 |
---|---|---|
committer | Nikolay Amiantov <ab@fmap.me> | 2015-10-18 18:41:11 +0300 |
commit | 12fcfe39db2a1f7df7c72dade591d497b153bbf8 (patch) | |
tree | cb22872b90e11893c420416cc59889c9cd7e2a3f /nixos/modules/system/boot | |
parent | 1bd3d9de2acf17e4b727cbf4d1487d5ad5e42159 (diff) | |
download | nixpkgs-12fcfe39db2a1f7df7c72dade591d497b153bbf8.tar nixpkgs-12fcfe39db2a1f7df7c72dade591d497b153bbf8.tar.gz nixpkgs-12fcfe39db2a1f7df7c72dade591d497b153bbf8.tar.bz2 nixpkgs-12fcfe39db2a1f7df7c72dade591d497b153bbf8.tar.lz nixpkgs-12fcfe39db2a1f7df7c72dade591d497b153bbf8.tar.xz nixpkgs-12fcfe39db2a1f7df7c72dade591d497b153bbf8.tar.zst nixpkgs-12fcfe39db2a1f7df7c72dade591d497b153bbf8.zip |
nixos/luksroot: allow to enter passphrase from another console
Diffstat (limited to 'nixos/modules/system/boot')
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 0a680b2d5cf..76370320563 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -32,9 +32,12 @@ let ''} open_normally() { - cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \ + echo luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \ ${optionalString (header != null) "--header=${header}"} \ - ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} + ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \ + > /.luksopen_args + cryptsetup-askpass + rm /.luksopen_args } ${optionalString (luks.yubikeySupport && (yubikey != null)) '' @@ -418,6 +421,18 @@ in boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.cryptsetup}/bin/cryptsetup + cat > $out/bin/cryptsetup-askpass <<EOF + #!$out/bin/sh -e + if [ -e /.luksopen_args ]; then + cryptsetup \$(cat /.luksopen_args) + killall cryptsetup + else + echo "Passphrase is not requested now" + exit 1 + fi + EOF + chmod +x $out/bin/cryptsetup-askpass + ${optionalString luks.yubikeySupport '' copy_bin_and_libs ${pkgs.ykpers}/bin/ykchalresp copy_bin_and_libs ${pkgs.ykpers}/bin/ykinfo |