On 7/7/20 7:09 PM, Dudemanguy via artix-general wrote:
> Sorry, this got lost in the backlog somewhere. I'll get to actually testing this out this one out later this week.
Okay, I finally believe I've gotten to the bottom of this. The short
answer is that I don't think this is possible with the current way s6 is
setup on Artix, but at the very least it's not an issue with the script.
During the boot process, the cryptsetup script gets executed, reads the
/etc/crypttab with all the right arguments and everything but there's an
error message that's sent to shell. Specifically, "Nothing to read on
input". The reason I don't believe this can work as-is is because the
early getty service that s6-linux-init starts is designed to capture any
output from the started services and print them on /dev/console. This
will interrupt any wait on input and thus cause the cryptsetup to fail.
I haven't tested this, but there are theoretically two potential fixes
to this. One would be simply to disable printing on /dev/console. I'm
not totally sure anything from the cryptsetup would even print on the
early getty in the first place but it is a separate bash/shell call and
not a complete execline script so it might work. I don't want to do this
though because I've found error output on tty1 to be very useful in
debugging and I don't think the tradeoff is worth it.
The other possibility would be to move the early getty to some other tty
(say tty2) and print the cryptsetup stuff on a different tty (like
tty1). This would be strange though because a user would have to
manually switch to the other tty (you would still boot on whatever the
early getty is defined as) and also said getty services would have to
start before cryptsetup to work. I also don't think this hypothetical is
worth it.
I know you probably already know this (and maybe already do this), but
why not just generate a keyfile instead and add it to the luks device?
That can be read on boot just fine and as long as it's in a secure
location, it's a better solution than a passphrase anyway. If someone
has access to your root, you're already compromised after all.
Sidenote: I did find a slight error when closing devices on s6. They
weren't being unmounted, so at least that should be fixed now.
More information about the artix-general
mailing list