Linux – Prompt for password during boot with systemd service

arch linuxsystemdtruecrypt

This is relevant to Arch Linux (and perhaps other distributions using systemd). I want to mount a TrueCrypt partition at boot. With the old sysvinit, this was pretty straight forward with a script called by rc.local.

I got to my current by hijacking an Arch forum thread. There's another thread where this systemd-devel thread is talked about as "having the solution," however it's not apparent to me what it actually is, and the OP has the last post stating that he wasn't able to accomplish his goal.

From the looks of it this person is doing it, but was looking for a way to turn off continuous boot messages while he types the password. I posted there as well asking for him to post his actual .service file.

In searching quite a bit, people mention that they have been successful or that it's possible, but don't spell out exactly what the solution was.

I'm as far as being able to unlock the partition from the command line via a systemd service (which in turn gives me the ability to automatically dismount it on shutdown/reboot), but I have to do it manually once logged in. I'd really like the boot process to pause and ask me for the password.

Here's my current script:

[Unit]
Description=Truecrypt Setup for vault
#DefaultDependencies=no
#Conflicts=umount.target
#Before=umount.target
#After=systemd-readahead-collect.service systemd-readahead-replay.service
#After=cryptsetup.target

[Service]
Type=oneshot
RemainAfterExit=yes
#StandardInput=tty-force
ExecStart=/bin/sh -c '/usr/bin/truecrypt -t --protect-hidden=no -k "" --filesystem=none --slot=1 -p `systemd-ask-password "Enter password for truecrypt volume: "` /dev/sda4'
ExecStop=/usr/bin/truecrypt --filesystem=none -d /dev/sda4

[Install]
WantedBy=multi-user.target

I left the commented stuff in [Unit], as at some point I ran into suggestions that it should be there, but I had problems with it. The above seems to work just fine after booting/logging in… just not during.

Best Answer

Write a wrapper script and put it in ExecStart=
From the wrapper script, use systemd-ask-password <PROMPT>, read password from its stdout and feed it to truecrypt in whatever way is required
Don't forget to exec truecrypt from the end of your script in order not to leave an extra bash process hanging around

This will make systemd query the password immediately (if you start apache using systemctl) or using one of so-called agents (there are default ones which ask passwords using wall or directly on the console during system bootup). This is the best thing you can do to stay compliant.

Related Solutions

Make systemd reload only single openvpn process and not the whole group

If you use CONFIGNAME as your config file name for your .conf file you could try

systemctl restart openvpn@CONFIGNAME.service

Ubuntu – All services of a user are killed when running multiple services under this user with systemd

The changelog for systemd (v230) says:

systemd-logind will now by default terminate user processes that are part of the user session scope unit (session-XX.scope) when the user logs out. This behavior is controlled by the KillUserProcesses= setting in logind.conf, and the previous default of "no" is now changed to "yes". This means that user sessions will be properly cleaned up after, but additional steps are necessary to allow intentionally long-running processes to survive logout.

So this is default behaviour. It also explains what to do to undo the change: logind.conf, set KillUserProcesses= to no (and --without-kill-user-processes option to configure)

But the changelog also includes a ...

While the user is logged in at least once, user@.service is running, and any service that should survive the end of any individual login session can be started at a user service or scope using systemd-run. systemd-run(1) man page has been extended with an example which shows how to run screen in a scope unit underneath user@.service. The same command works for tmux.

and

After the user logs out of all sessions, user@.service will be terminated too, by default, unless the user has lingering enabled. To effectively allow users to run long-term tasks even if they are logged out, lingering must be enabled for them. See loginctl(1) for details. The default polkit policy was modified to allow users to set lingering for themselves without authentication.

That one is more important since it uses the default (kill'm all) with a way to provide exceptions: enable lingering.

Some more info:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825394

Best Answer

Related Solutions

Make systemd reload only single openvpn process and not the whole group

Ubuntu – All services of a user are killed when running multiple services under this user with systemd

Related Question