Package: cryptsetup-initramfs
Version: 2.3.5
Severity: wishlist
If someone is using an encrypted root fs, and the laptop unintentionally turns
on, it would wait for the passphrase until the battery is empty (that's what
happened to me yesterday).
For this reason please let me suggest to add a timeout option into crypttab,
which will turn the system off if the passphrase (or the key) has not been
provided within the given period of time.
I've added a proof-of-concept patch to /usr/share/initramfs-tools/scripts/
local-top/cryptroot and /usr/lib/cryptsetup/functions which introduced this
feature.
I know that there is a similar report #509070 from 2008, but while that
reports suggests to skip the device for convenience reasons, my report is to
protecting the system's battery.
Best regards,
Roland
--- /usr/lib/cryptsetup/functions 2021-09-19 12:28:43.194023501 +0200
+++ /usr/lib/cryptsetup/functions 2021-09-19 12:58:51.302852958 +0200
@@ -81,7 +81,8 @@
CRYPTTAB_OPTION_keyscript \
CRYPTTAB_OPTION_keyslot \
CRYPTTAB_OPTION_header \
- CRYPTTAB_OPTION_tcrypthidden
+ CRYPTTAB_OPTION_tcrypthidden \
+ CRYPTTAB_OPTION_timeout
# use $_CRYPTTAB_OPTIONS not $CRYPTTAB_OPTIONS as options values may
# contain '\054' which is decoded to ',' in the latter
for x in $_CRYPTTAB_OPTIONS; do
@@ -177,7 +178,7 @@
fi
;;
# numeric options >=0
- offset|skip|tries|keyslot|keyfile-offset)
+ offset|skip|tries|keyslot|keyfile-offset|timeout)
if ! printf '%s' "${VALUE-}" | grep -Exq "[0-9]+"; then
return 1
fi
--- /usr/share/initramfs-tools/scripts/local-top/cryptroot 2021-09-19 11:51:52.149584290 +0200
+++ /usr/share/initramfs-tools/scripts/local-top/cryptroot 2021-09-19 13:11:29.646265591 +0200
@@ -155,8 +155,16 @@
fi
fi
- local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv
+ local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" poweroffpid=0 fstype vg rv
while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do
+ if [ "${CRYPTTAB_OPTION_timeout:-0}" -gt 15 ]; then
+ # Power down if not key has been entered within $timeout seconds.
+ # Ignore values below 15 seconds to give the user a chance
+ # to enter his passphrase in case of a typo in /etc/crypttab.
+ cryptsetup_message "Timeout in $CRYPTTAB_OPTION_timeout seconds"
+ (sleep "$CRYPTTAB_OPTION_timeout" && poweroff) &
+ poweroffpid=$!
+ fi
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
# unlock via keyfile
unlock_mapping "$CRYPTTAB_KEY"
@@ -166,6 +174,9 @@
fi
rv=$?
count=$(( $count + 1 ))
+ if [ "$poweroffpid" -gt 0 ]; then
+ kill "$poweroffpid"
+ fi
if [ $rv -ne 0 ]; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: cryptsetup failed, bad password or options?"
