Support fallback to askpass in case the cryptvm cannot be reached

[sscheib]

If the keyserver is not reachable for whatever reason there is no possibility to manually enter the luks keyphrase. When connected to the VM, which is not able to reach the keyserver (clientVM), the following error happens: ~ # cryptroot-unlock Error: Timeout reached while waiting for askpass.

Is this an intended behaviour? I was under the impression, that whenever the keyserver is not reachable, there is always the possibility to manually enter the password.

The problem looks like the following on the clientVM:

[fetzerms]

This is currently on purpose. The script could be extended to fall back to askpass - but I am not sure if this is a good idea. Probably better than dropping to a shell.

I think reacting to an appropriate CRYPTTAB_TRIED and then falling back t o askpass looks like a good idea. But I'm not sure if there is a generic / good way for this.

Maybe the client-script-wrappers should be updated in order to allow to configure the fallback method.

[459below]

Do you know, that you can just cryptsetup open /dev/sda1 root-hdd *ENTER PASSWORD* exit

and it will just continue as usual?

It should say this in the documentation. Granted it takes it takes a while until the process will drop you to the shell, but you will always get back into the system.

However this is one reason why I'm trying to setup a keyserver on Android.

[459below]

Reopening, since it needs another PR for cryptsetup to work in initramfs. Sorry, I always set the CRYPTSETUP=y parameter and took it for granted.