Provide LUKS passphrase via SSH non-interactively

[pschmitt]

Heyhey thanks for making this great piece of tech :)

I've been trying to use ansible to auto-unlock a system. Is there a way to do so?

So far I've tried echo "passPhrasexxx" | ssh root@example.com but that doesn't work. Am I missing something obvious I can do instead?

[pschmitt]

Been digging around a bit. The best I could come up with (that works) is the following:

ssh root@example.com /usr/bin/cryptsetup luksOpen /dev/sda2 root - <<< "secretPassPhrase69420"

while ! ssh root@example.com /usr/bin/test -e /dev/mapper/root
do
  sleep 1
done

ssh root@example.com /usr/bin/systemctl restart systemd-cryptsetup@root.service

EDIT: The test part is probably not necessary ie:

ssh root@example.com /usr/bin/cryptsetup luksOpen /dev/sda2 root - <<< "secretPassPhrase69420"
ssh root@example.com /usr/bin/systemctl restart systemd-cryptsetup@root.service

[Andrei-Pozolotin]

@pschmitt Philipp: looks like you have a solution already is there anything you need more than that?

[pschmitt]

While the commands I posted above do kinda work they are not exactly general enough to scale (you'd need to know the root device name or uuid - which leads to another ssh call).

Ideally for my use case the unlock and boot of the system would be achievable within a single ssh call, similarly to what can done with dracut-sshd where you can do echo Password | ssh example.com.

Long story short: what I am asking for is another script_entry value or something similar that would just read the passphrase from stdin and attempt the unlock non-interactively.

[Andrei-Pozolotin]

another script_entry value or something similar that would just read the passphrase from stdin

I see. please send a PR.