Bug 677962

Summary: RFE: timeout on boot-time LUKS passwords for non-root partitions
Product: [Fedora] Fedora Reporter: James Heather <drfudgeboy>
Component: systemdAssignee: Lennart Poettering <lpoetter>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: contact, iarlyy, jonathan, lpoetter, metherid, mschmidt, notting, plautrba
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-22 19:45:18 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description James Heather 2011-02-16 06:20:29 EST
Could boot-time mounting of LUKS partitions please allow for a timeout for password entry? The timeout would ideally be specified in /etc/crypttab. Some partitions (e.g., root partitions) would not want a timeout, but others (e.g., /home) might.

This should be simple to implement, because cryptsetup already has a '--timeout' option.

Several of my machines have unencrypted root, but encrypted /home. The problem is that I generally want /home to be mounted at boot time (so it shouldn't be noauto), but occasionally I need to reboot the machine remotely. At the moment, I just can't do that: I need to be at the terminal to enter the password.

I'd like it set up so that it'll be mounted if I'm rebooting locally and able to enter the password, but times out if I'm rebooting remotely.

Thanks!

James
Comment 1 Bill Nottingham 2011-02-16 08:57:13 EST
This is unlikely to be added to Fedora 14 at this time, simply because this functionality has moved in Fedora 15 to the systemd package, and therefore it would be a one-off change for future Fedora releases.
Comment 2 James Heather 2011-02-16 09:02:03 EST
(In reply to comment #1)
> This is unlikely to be added to Fedora 14 at this time, simply because this
> functionality has moved in Fedora 15 to the systemd package, and therefore it
> would be a one-off change for future Fedora releases.

Ah, OK, not personally too bothered if all I have to do is wait for F15. I can live with my hacky solution till then.

So do you mean that pretty much this exact thing is being included in F15 systemd?

James
Comment 3 Bill Nottingham 2011-02-16 09:11:55 EST
I *think* so... moving over to systemd for clarification.
Comment 4 Lennart Poettering 2011-02-22 19:45:18 EST
In F15 you can use "timeout=5min" as option in crypttab to make sure we timeout the password entry eventually.
Comment 5 Aissen 2011-06-30 17:15:05 EDT
This feature is nice, but not documented. I searched in crypttab(5), systemd-ask-password(1), systemd.mount(5).
It didn't use to timeout, and I liked it this way. Now I had to go dig into the source code ( http://cgit.freedesktop.org/systemd/tree/src/cryptsetup.c?id=v26#n106 ) to understand how it worked, and change the (new) default behavior to the one I preferred.