[feature request] use keyfile for opening luks device about udiskie HOT 19 CLOSED

I agree, this would be nice. Sorry for the late response.

Udiskie relies on udisks to execute root commands and I'm afraid udisks currently doesn't care about keyfiles. I posted a related issue on their bugtracker recently and they seem unresponsive :(
So there is not much udiskie can do without root permissions.

Maybe the chances to get it fixed will be higher by submitting a patch and hope for its inclusion. The corresponding udisks code is in src/udiskslinuxencrypted.c, specifically handle_unlock. I'm not sure how long it will take - if they include it at all (not sure there is someone behind that project who has time at the moment). If you don't feel confident writing the patch yourself, I could go for it in a few days/week or so.

As a workaround, you could unlock your device using a udev rule and ignore it in udiskie. Something like

ACTION=="add", ENV{ID_FS_UUID}=="f73f0991-2c3f-456b-a03a-70fcae7ee235", RUN+="/usr/bin/cryptsetup luksOpen /dev/%k ring --key-file /etc/key/keyfile"

from udiskie.

Thanks a lot for your advice. Hadn't thought of udev before.

I'm not that firm in c and unforunately don't think i'm able to write a patch for udisks.

from udiskie.

Alright, I took a look around, and found that there is already an open udisks ticket from 2012. I'll notify you here if that gets patched.

from udiskie.

udisks2 docs now have mumblings about /etc/luks-keys, so there may be some update to this.

from udiskie.

Oh, can you provide a link? I did write a patch for this feature a while back and notified them on their mailing list, but I didn't get any useful response for now. See here and here.

from udiskie.

It looks like in order to do it, you set up a "configuration" for the block device which udisks then writes to /etc/crypttab (it seems).

In any case, what seems to be asked for here is to provide a file that is not in crypttab and instead have udiskie read it and plumb it over. That would be possible for non-binary data. What needs to happen for it to work in general is to have some Unlock-like method which takes binary data (ay) as a passphrase and then basically just .read_all() from the given path into that parameter.

from udiskie.

Yeah. I don't think the "configuration" stuff is what many users would want.

As I mentioned, I implemented a patch for udisks to accept an additional ay binary blob containing the keyfile, but I got no response so far.

from udiskie.

Now that a patch exists, maybe pinging the fdo bug would help?

from udiskie.

Any progress on this one? I would love to define a configuration in which I state that my external device xyz should be unlocked using my key foo_bar. Additionally, custom mount points would be awesome as well, not sure if this is already possible though?

from udiskie.

I will ping the udisks devs and work on the issue in the next weeks.

from udiskie.

What about now? :)

from udiskie.

Sorry, you are right, I postponed this all too long. Working on it. By any chance, can you run all of udisks integration tests or do you know on which distro they work?

from udiskie.

I just tried to run them on my arch setup, but it failed horribly. Going from one error to the next I just stopped at the fourth one. Sorry .. :/

from udiskie.

Thanks for trying anyway.

I've pinged it on the bugtracker with patches attached. Hope this gets it rolling again.

from udiskie.

It's really hard to get response from the udisks maintainer (who admits udisks is heavily undermaintained and wants to merge storaged). I'll try to submit it in storaged.

from udiskie.

created PR for storaged, see here.

from udiskie.

For the wishlist: would be awesome if udiskie LUKS configuration would not only take a filename, but would also work based on a user-specified shell command that generates the key content, e.g. from an encrypted keyring. 🐨

from udiskie.

update: patch is now integrated in storaged. The feature will be available once they merge with udisks and release.

from udiskie.

Implemented now in udiskie. You have to wait for udisks 2.6.4 to appear to make it work.

@eigengrau For now only files are supported. I might add your suggestion later. Taking this to another issue.

Keyfiles can only be unlocked using the config file ~/.config/udiskie/config.yml like this (using the UUID of the crypto device, not the unlocked partition of course):

device_config:
- id_uuid: ...
  keyfile: /path/to/your/keyfile

from udiskie.