Bug 677962

Summary: RFE: timeout on boot-time LUKS passwords for non-root partitions
Product: [Fedora] Fedora Reporter: James Heather <drfudgeboy>
Component: systemdAssignee: Lennart Poettering <lpoetter>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: contact, iarlyy, jonathan, lpoetter, metherid, mschmidt, notting, plautrba
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-23 00:45:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Heather 2011-02-16 11:20:29 UTC
Could boot-time mounting of LUKS partitions please allow for a timeout for password entry? The timeout would ideally be specified in /etc/crypttab. Some partitions (e.g., root partitions) would not want a timeout, but others (e.g., /home) might.

This should be simple to implement, because cryptsetup already has a '--timeout' option.

Several of my machines have unencrypted root, but encrypted /home. The problem is that I generally want /home to be mounted at boot time (so it shouldn't be noauto), but occasionally I need to reboot the machine remotely. At the moment, I just can't do that: I need to be at the terminal to enter the password.

I'd like it set up so that it'll be mounted if I'm rebooting locally and able to enter the password, but times out if I'm rebooting remotely.

Thanks!

James

Comment 1 Bill Nottingham 2011-02-16 13:57:13 UTC
This is unlikely to be added to Fedora 14 at this time, simply because this functionality has moved in Fedora 15 to the systemd package, and therefore it would be a one-off change for future Fedora releases.

Comment 2 James Heather 2011-02-16 14:02:03 UTC
(In reply to comment #1)
> This is unlikely to be added to Fedora 14 at this time, simply because this
> functionality has moved in Fedora 15 to the systemd package, and therefore it
> would be a one-off change for future Fedora releases.

Ah, OK, not personally too bothered if all I have to do is wait for F15. I can live with my hacky solution till then.

So do you mean that pretty much this exact thing is being included in F15 systemd?

James

Comment 3 Bill Nottingham 2011-02-16 14:11:55 UTC
I *think* so... moving over to systemd for clarification.

Comment 4 Lennart Poettering 2011-02-23 00:45:18 UTC
In F15 you can use "timeout=5min" as option in crypttab to make sure we timeout the password entry eventually.

Comment 5 Aissen 2011-06-30 21:15:05 UTC
This feature is nice, but not documented. I searched in crypttab(5), systemd-ask-password(1), systemd.mount(5).
It didn't use to timeout, and I liked it this way. Now I had to go dig into the source code ( http://cgit.freedesktop.org/systemd/tree/src/cryptsetup.c?id=v26#n106 ) to understand how it worked, and change the (new) default behavior to the one I preferred.