Add silent fail feature

[dramm33]

As per #68, I added an option to auto-skip unlock.

I called it "silent fail" since I lack a better name for it. It's not really silent since it still outputs that decryption was tried and skipped.

[Vincent43]

I'm bit skeptical about adding this as it may be too uncommon usecase while I'm trying to limit number of settings in order to make code simpler. Do you ever need to unlock this partition at boot? If not then you may just remove ykfde hook from initramfs and unlock it later with ykfde-open if needed.

[dramm33]

I'm using ykfde to unlock a fully encrypted disk (which doesn't have OS/boot files).

That being said, the files on the disk are accessed by some system services, which means unlocking it at login isn't an option.

The main advantage I see when using the hook is that when I don't want the drive unlocked, I just need to remove the Yubikey before starting the computer. And if I need to use the Yubikey for some other authentication later, I can just plug it in without worrying about having the drive accidentally unlocked.

As for being too uncommon, I guess it depends whether or not you want to consider computers with multiple drives or not. I agree that it doesn't make sense for something like a laptop with only one fully encrypted disk.

[Vincent43]

I think what's uncommon in your setup is not multiple drives used but the fact that OS data is unencrypted which doesn't follow Full disk encryption concept for which this project was dedicated (as the name of it tells).

[dramm33]

Yeah, I will eventually encrypt the OS disk as well. But I'm postponing since I will still need to keep the other disk on a different level of security. So I'd need to use two yubikeys (one for OS disk and the other for protected data disk).

Since the computer is on most of the time, having everything under one encryption would mean keeping unnecessary data unencrypted all the time. Which I'm not a big fan of.

Anyway, I digress. Feel free to close the request.

[agherzan]

I see @Vincent43 's point on added complexity for an uncommon use-case. I find your setup very custom and I'm not sure if we have more people that would use something similar. I'd say to park this for a while and wait for feedback on the issue.