Red Hat Bugzilla – Bug 677962
RFE: timeout on boot-time LUKS passwords for non-root partitions
Last modified: 2011-06-30 17:15:05 EDT
Could boot-time mounting of LUKS partitions please allow for a timeout for password entry? The timeout would ideally be specified in /etc/crypttab. Some partitions (e.g., root partitions) would not want a timeout, but others (e.g., /home) might.
This should be simple to implement, because cryptsetup already has a '--timeout' option.
Several of my machines have unencrypted root, but encrypted /home. The problem is that I generally want /home to be mounted at boot time (so it shouldn't be noauto), but occasionally I need to reboot the machine remotely. At the moment, I just can't do that: I need to be at the terminal to enter the password.
I'd like it set up so that it'll be mounted if I'm rebooting locally and able to enter the password, but times out if I'm rebooting remotely.
This is unlikely to be added to Fedora 14 at this time, simply because this functionality has moved in Fedora 15 to the systemd package, and therefore it would be a one-off change for future Fedora releases.
(In reply to comment #1)
> This is unlikely to be added to Fedora 14 at this time, simply because this
> functionality has moved in Fedora 15 to the systemd package, and therefore it
> would be a one-off change for future Fedora releases.
Ah, OK, not personally too bothered if all I have to do is wait for F15. I can live with my hacky solution till then.
So do you mean that pretty much this exact thing is being included in F15 systemd?
I *think* so... moving over to systemd for clarification.
In F15 you can use "timeout=5min" as option in crypttab to make sure we timeout the password entry eventually.
This feature is nice, but not documented. I searched in crypttab(5), systemd-ask-password(1), systemd.mount(5).
It didn't use to timeout, and I liked it this way. Now I had to go dig into the source code ( http://cgit.freedesktop.org/systemd/tree/src/cryptsetup.c?id=v26#n106 ) to understand how it worked, and change the (new) default behavior to the one I preferred.