Skip to content

Commit 29b7330

Browse files
dylanmtaylordylanmtaylor
authored
Don't write encryption keyfiles to an unencrypted root partition (#4349)
1 parent a3c6bd5 commit 29b7330

File tree

2 files changed

+28
-4
lines changed

2 files changed

+28
-4
lines changed

archinstall/lib/disk/luks.py

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -204,6 +204,18 @@ def create_keyfile(self, target_path: Path, override: bool = False) -> None:
204204
self._add_key(key_file)
205205
self._crypttab(crypttab_path, kf_path, options=['luks', 'key-slot=1'])
206206

207+
def create_crypttab_entry(self, target_path: Path) -> None:
208+
"""
209+
Add a crypttab entry without a keyfile so systemd prompts
210+
for the passphrase at boot.
211+
"""
212+
if self.mapper_name is None:
213+
raise ValueError('Mapper name must be provided')
214+
215+
crypttab_path = target_path / 'etc/crypttab'
216+
crypttab_path.parent.mkdir(parents=True, exist_ok=True)
217+
self._crypttab(crypttab_path, Path('none'), options=['luks'])
218+
207219
def _add_key(self, key_file: Path) -> None:
208220
debug(f'Adding additional key-file {key_file}')
209221

archinstall/lib/installer.py

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -444,6 +444,8 @@ def generate_key_files(self) -> None:
444444
pass
445445

446446
def _generate_key_files_partitions(self) -> None:
447+
root_is_encrypted = any(p.is_root() for p in self._disk_encryption.partitions)
448+
447449
for part_mod in self._disk_encryption.partitions:
448450
gen_enc_file = self._disk_encryption.should_generate_encryption_file(part_mod)
449451

@@ -454,8 +456,12 @@ def _generate_key_files_partitions(self) -> None:
454456
)
455457

456458
if gen_enc_file and not part_mod.is_root():
457-
debug(f'Creating key-file: {part_mod.dev_path}')
458-
luks_handler.create_keyfile(self.target)
459+
if root_is_encrypted:
460+
debug(f'Creating key-file: {part_mod.dev_path}')
461+
luks_handler.create_keyfile(self.target)
462+
else:
463+
debug(f'Adding passphrase-based crypttab entry for {part_mod.dev_path}')
464+
luks_handler.create_crypttab_entry(self.target)
459465

460466
if part_mod.is_root() and not gen_enc_file:
461467
if self._disk_encryption.hsm_device:
@@ -467,6 +473,8 @@ def _generate_key_files_partitions(self) -> None:
467473
)
468474

469475
def _generate_key_file_lvm_volumes(self) -> None:
476+
root_is_encrypted = any(v.is_root() for v in self._disk_encryption.lvm_volumes)
477+
470478
for vol in self._disk_encryption.lvm_volumes:
471479
gen_enc_file = self._disk_encryption.should_generate_encryption_file(vol)
472480

@@ -477,8 +485,12 @@ def _generate_key_file_lvm_volumes(self) -> None:
477485
)
478486

479487
if gen_enc_file and not vol.is_root():
480-
info(f'Creating key-file: {vol.dev_path}')
481-
luks_handler.create_keyfile(self.target)
488+
if root_is_encrypted:
489+
info(f'Creating key-file: {vol.dev_path}')
490+
luks_handler.create_keyfile(self.target)
491+
else:
492+
info(f'Adding passphrase-based crypttab entry for {vol.dev_path}')
493+
luks_handler.create_crypttab_entry(self.target)
482494

483495
if vol.is_root() and not gen_enc_file:
484496
if self._disk_encryption.hsm_device:

0 commit comments

Comments
 (0)