Hi, Am 28.07.2014 01:54, schrieb Christian Hofstaedtler: > * Michael Biebl <biebl@debian.org> [140727 23:09]: >> Am 22.07.2014 23:54, schrieb Julian Gilbey: >>> For me, this is a killer, as I still do not know how to solve the >>> problem I asked a while back on debian-user >>> (https://lists.debian.org/debian-user/2014/04/msg01286.html): in >>> summary, I need to unlock an encrypted filesystem during boot time by >>> asking for a password to feed into encfs. But I cannot figure out how >>> to do this under systemd. >>> >>> Answers to this question would also be much appreciated! >> >> Julian, do you still need help with that? >> I've just cobbled together a short unlock.service file which seems to >> work reasonable fine and which I can share with you. > > I'd love to see that file. Here we go: ------8<----------- [Unit] Description=Unlock EncFS DefaultDependencies=no After=local-fs.target Before=display-manager.service getty@tty1.service [Service] Type=oneshot RemainAfterExit=true Environment=RootDir=/home/.encfs/crypt Environment=MountPoint=/home/crypt ExecStart=/bin/sh -c "systemd-ask-password --no-tty --timeout=30 'Unlock EncFS' | encfs --stdinpass $RootDir $MountPoint" ExecStop=/bin/umount $MountPoint [Install] WantedBy=sysinit.target ------>8----------- (The ExecStart= needs to be a single line, I hope it's not messed up by my mailer) I've installed that as /etc/systemd/system/unlock.service, then ran "systemctl enable unlock.service" A few remarks: - I hook that service up in sysinit.target, which is similar to rcS in sysvinit since that is what Julian was using in his original SysV init script Services which run that early should usually use DefaultDependencies=no and specificy their requirements explicitly (that's what the After=local-fs.target is for) - I used Type=oneshot, as I'm only interested in the unlock process and not in tracking the encfs process. - The usage of Environment= is entirely optional, but makes it a bit more readable - The ExecStop= is not strictly required, but simply a nice touch. - Querying input on a non sequential system (like systemd) is not trivial. I therefore recommend the usage of plymouth. Don't consider it as only a shiny bootsplash, but rather an I/O multi-plexer [1]. If you insist on not using plymouth, make at least sure, to booth with "quiet" enabled, otherwise your unlock prompt will be overwritten by the boot messages. Let me repeat: for such case, I really recommend to use plymouth! - The Before=display-manager.service getty@tty1.service line makes sure, your plymouth (or console) prompt is not interfered by the getty on tty1 or X/your display manager. Not all display managers already setup the display-manager.service symlink properly (gdm3 in unstable and lightdm, do). So you might need to change that to list the actual service name say you use xdm: Before=xdm.service ... systemd-ask-password is clever enough to automatically use plymouth when available or falls back to the tty agent otherwise. If you have further questions, just ask. Cheers, Michael [1] http://web.dodds.net/~vorlon/wiki/blog/Plymouth_is_not_a_bootsplash/ (currently not reachable, you might use the google cache) -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Attachment:
signature.asc
Description: OpenPGP digital signature