[mirror_zfs.git] / contrib / dracut / 90zfs / zfs-load-key.sh.in

#!/bin/sh
# shellcheck disable=SC2154

# only run this on systemd systems, we handle the decrypt in mount-zfs.sh in the mount hook otherwise
[ -e /bin/systemctl ] || [ -e /usr/bin/systemctl ] || return 0

# shellcheck source=zfs-lib.sh.in
. /lib/dracut-zfs-lib.sh

decode_root_args || return 0

# There is a race between the zpool import and the pre-mount hooks, so we wait for a pool to be imported
while ! systemctl is-active --quiet zfs-import.target; do
    systemctl is-failed --quiet zfs-import-cache.service zfs-import-scan.service && return 1
    sleep 0.1s
done

BOOTFS="$root"
if [ "$BOOTFS" = "zfs:AUTO" ]; then
    BOOTFS="$(zpool get -Ho value bootfs | grep -m1 -vFx -)"
fi

[ "$(zpool get -Ho value feature@encryption "${BOOTFS%%/*}")" = 'active' ] || return 0

_load_key_cb() {
    dataset="$1"

    ENCRYPTIONROOT="$(zfs get -Ho value encryptionroot "${dataset}")"
    [ "${ENCRYPTIONROOT}" = "-" ] && return 0

    [ "$(zfs get -Ho value keystatus "${ENCRYPTIONROOT}")" = "unavailable" ] || return 0

    KEYLOCATION="$(zfs get -Ho value keylocation "${ENCRYPTIONROOT}")"
    case "${KEYLOCATION%%://*}" in
        prompt)
            for _ in 1 2 3; do
                systemd-ask-password --no-tty "Encrypted ZFS password for ${dataset}" | zfs load-key "${ENCRYPTIONROOT}" && break
            done
            ;;
        http*)
            systemctl start network-online.target
            zfs load-key "${ENCRYPTIONROOT}"
            ;;
        file)
            KEYFILE="${KEYLOCATION#file://}"
            [ -r "${KEYFILE}" ] || udevadm settle
            [ -r "${KEYFILE}" ] || {
                info "ZFS: Waiting for key ${KEYFILE} for ${ENCRYPTIONROOT}..."
                for _ in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
                    sleep 0.5s
                    [ -r "${KEYFILE}" ] && break
                done
            }
            [ -r "${KEYFILE}" ] || warn "ZFS: Key ${KEYFILE} for ${ENCRYPTIONROOT} hasn't appeared. Trying anyway."
            zfs load-key "${ENCRYPTIONROOT}"
            ;;
        *)
            zfs load-key "${ENCRYPTIONROOT}"
            ;;
    esac
}

_load_key_cb "$BOOTFS"
for_relevant_root_children "$BOOTFS" _load_key_cb
Commit	Line	Data
16692e6b	1	#!/bin/sh
6fc30992	2	# shellcheck disable=SC2154
7da8f8d8	3
6f259b59	4	# only run this on systemd systems, we handle the decrypt in mount-zfs.sh in the mount hook otherwise
984362a7	5	[ -e /bin/systemctl ] \|\| [ -e /usr/bin/systemctl ] \|\| return 0
6f259b59	6
245529d8 AZ	7	# shellcheck source=zfs-lib.sh.in
245529d8 AZ	8	. /lib/dracut-zfs-lib.sh
7da8f8d8	9
245529d8	10	decode_root_args \|\| return 0
7da8f8d8 MT	11
7da8f8d8 MT	12	# There is a race between the zpool import and the pre-mount hooks, so we wait for a pool to be imported
245529d8 AZ	13	while ! systemctl is-active --quiet zfs-import.target; do
245529d8 AZ	14	systemctl is-failed --quiet zfs-import-cache.service zfs-import-scan.service && return 1
7da8f8d8 MT	15	sleep 0.1s
	16	done
	17
245529d8 AZ	18	BOOTFS="$root"
	19	if [ "$BOOTFS" = "zfs:AUTO" ]; then
	20	BOOTFS="$(zpool get -Ho value bootfs \| grep -m1 -vFx -)"
7da8f8d8 MT	21	fi
7da8f8d8 MT	22
fec2c613 AZ	23	[ "$(zpool get -Ho value feature@encryption "${BOOTFS%%/*}")" = 'active' ] \|\| return 0
fec2c613 AZ	24
30c6dce7 AZ	25	_load_key_cb() {
	26	dataset="$1"
	27
	28	ENCRYPTIONROOT="$(zfs get -Ho value encryptionroot "${dataset}")"
	29	[ "${ENCRYPTIONROOT}" = "-" ] && return 0
	30
	31	[ "$(zfs get -Ho value keystatus "${ENCRYPTIONROOT}")" = "unavailable" ] \|\| return 0
	32
	33	KEYLOCATION="$(zfs get -Ho value keylocation "${ENCRYPTIONROOT}")"
	34	case "${KEYLOCATION%%://*}" in
	35	prompt)
	36	for _ in 1 2 3; do
	37	systemd-ask-password --no-tty "Encrypted ZFS password for ${dataset}" \| zfs load-key "${ENCRYPTIONROOT}" && break
fec2c613	38	done
30c6dce7 AZ	39	;;
	40	http*)
	41	systemctl start network-online.target
	42	zfs load-key "${ENCRYPTIONROOT}"
	43	;;
	44	file)
	45	KEYFILE="${KEYLOCATION#file://}"
	46	[ -r "${KEYFILE}" ] \|\| udevadm settle
	47	[ -r "${KEYFILE}" ] \|\| {
	48	info "ZFS: Waiting for key ${KEYFILE} for ${ENCRYPTIONROOT}..."
	49	for _ in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
	50	sleep 0.5s
	51	[ -r "${KEYFILE}" ] && break
	52	done
	53	}
	54	[ -r "${KEYFILE}" ] \|\| warn "ZFS: Key ${KEYFILE} for ${ENCRYPTIONROOT} hasn't appeared. Trying anyway."
	55	zfs load-key "${ENCRYPTIONROOT}"
	56	;;
	57	*)
	58	zfs load-key "${ENCRYPTIONROOT}"
	59	;;
	60	esac
	61	}
	62
	63	_load_key_cb "$BOOTFS"
	64	for_relevant_root_children "$BOOTFS" _load_key_cb