Mailinglist Archive: opensuse (1108 mails)

< Previous Next >
Re: [opensuse] Booting with an encrypted home
On 2018-08-07 15:33, ken wrote:
On 08/07/2018 04:52 AM, Carlos E. R. wrote:


Hi, Carlos,

Two options:  One is using the "timeout" option, briefly explained in
"man crypttab". 

Ah, I did not notice that one, thanks.


timeout=
Specifies the timeout for querying for a password. If no unit
is specified, seconds is used. Supported units are s, ms, us, min, h, d.
A timeout of 0 waits indefinitely (which is the default).

x-systemd.device-timeout=
Specifies how long systemd should wait for a device to show
up before giving up on the entry. The argument is a time in seconds or
explicitly specified units of "s", "min", "h", "ms".


I tried "timeout=0", but the system waits for 90 seconds only - it says
so in the password prompt. So there must be somewhere else. This seems
to be an undocumented change in Leap 15.0.

Worse, the keyboard is ignored and I can not enter the password during
that time. After 90 seconds it prompts for my root password and ignores
it. With Ctrl-D it finally locks, only accepting ctrl-alt-supr.

Rescue system, I see a typo in the UUID declaration. Corrected.



It still ignores the keyboard, and times out at 90 seconds. But this
time I'm finally allowed to enter the root password.

All these lines make the system unbootable:

cr_sda8 UUID=1edf494d-d697-40b2-ba00-c7da0a1d5fbe -
timeout=0
cr_sda8 /dev/disk/by-uuid/1edf494d-d697-40b2-ba00-c7da0a1d5fbe -
timeout=0
cr_sda8 /dev/sda8 - timeout=0
cr_sda8 /dev/sda8 none timeout=0

Only these works, with a time out of 90 seconds, unchangeable:

cr_sda8 /dev/sda8
cr_sda8 UUID=1edf494d-d697-40b2-ba00-c7da0a1d5fbe
cr_sda8 UUID=1edf494d-d697-40b2-ba00-c7da0a1d5fbe none none

This other line:


cr_sda8 UUID=1edf494d-d697-40b2-ba00-c7da0a1d5fbe none timeout=300

is accepted, but the prompt text changes (doesn't print the timeout) and
the timeout doesn't change.


This seems a bug. Two, actually.



Another option would be to specify a file containing the password, that
file residing on a thumbdrive which, of course would need to be set to
mount prior to the encrypted partition.  That file would be specified in
a third field to the encrypted device's entry in /etc/crypttab.  This
second option would, in effect, allow mounting without you needing to
enter a password, but remain secure as long as you maintain secure
control of the thumbdrive.

No, I just want to control the timeout.

--
Cheers / Saludos,

Carlos E. R.
(from 42.3 x86_64 "Malachite" at Telcontar)

< Previous Next >
References