LUKS fallback to password with systemd initrd

quasimap · July 11, 2023, 6:25pm

I have the following code which unlocks a (an?) LUKS encrypted volume with a keyfile on a USB drive not:

  boot.initrd.luks.devices."enc".device = "/dev/disk/by-label/container";
  boot.initrd.luks.devices."enc".keyFile = "/dev/sda";
  boot.initrd.luks.devices."enc".keyFileSize = 4096;

I am using the systemd initrd, so if I enable boot.initrd.luks.devices."enc".fallbackToPassword = true; then I get the following error:

error:
Failed assertions:
- boot.initrd.luks.devices.<name>.fallbackToPassword is implied by systemd stage 1.

However, if I don’t insert the USB, the system does not present a password prompt. Is there a way (while still using systemd initrd) to get the system to fall back to a password prompt if the USB stick is not inserted?

quasimap · July 11, 2023, 10:46pm

I was able to solve the problem by setting boot.initrd.luks.devices."enc".keyFileTimeout = 5; and now systemd will ask for a password after 5 seconds if the USB stick is not found. Previously, both the LUKS volume and the keyfile had a timeout of 90 seconds (with the default setting of null), so they would both fail at the same time (at least that’s what seemed to be happening based on watching the boot process with the “debug” kernel parameter enabled).