Patch to auto-mount LUKS key-file encrypted volumes

Binary package hint: hal

Feisty + Gnome, gnome-mount

With a LUKS encrypted volume on an external device, when the device is connected gnome-volume-manager calls gnome-mount which prompts for the encrypted volume password.

If the volume is *only* protected by a key-file gnome-mount fails and "sudo cryptsetup luksOpen /dev name --key-file file.key" is needed to be run manually.

As a first step to providing full support for key-files I have modified the hal script:

/usr/lib/hal/scripts/linux/hal-luks-setup-linux

I am working on a modification to gnome-mount too, so it won't prompt for a password if a valid key-file is available.

Once the patched script is installed, when plugging in a LUKS encrypted volume gnome-mount will *still* ask you for a password but you can type in anything (it will be ignored) and press Enter. gnome-mount will execute the hal script which will check for a key-file and use it if found.
If there is no matching key-file the script will show an error-dialog reporting "bad key-file?" and then ask for a password as before. This gives a chance to insert the key-file device (I have it on a USB flash key).

If you save the password you typed either for the session, or forever, you won't get the password prompt again unless the key-file isn't found.

I've added functionality at the start of the script to check /etc/crypttab and match it against the argument passed to gnome-mount by gnome-volume-manager, e.g:

     --hal-udi=/org/freedesktop/Hal/devices/volume_uuid_408e7dbc-1cad-4eff-9a06-1b1f9f60d22a

The entry in /etc/crypttab *must* use the UUID in the device column, like this, for the script to work:

# <target name> <source device> <key file> <options>
mobile120 /dev/disk/by-uuid/408e7dbc-1cad-4eff-9a06-1b1f9f60d22a /media/key3/disk.key luks

The script will match the UUID, get the device name and the key-file, and call cryptsetup luksOpen.

----- /usr/lib/hal/scripts/linux/hal-luks-setup-linux -----------------

#!/bin/bash

# Copyright (C) 2005 W. Michael Petullo <email address hidden>
# Copyright (C) 2006 David Zeuthen <email address hidden>
# Copyright (C) 2007 TJ <email address hidden>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2.

CRYPTSETUP=/sbin/cryptsetup

# detect key-file protected volume
LUKS="`grep \"${HAL_PROP_VOLUME_UUID#*_uuid_}\" /etc/crypttab`"
MAPPER="`echo $LUKS | awk '{print $1}'`"
DEVICE="`echo $LUKS | awk '{print $2}'`"
KEYFILE="`echo $LUKS | awk '{print $3}'`"

# if there is a key-file, attempt to open the LUKS device with it
if [ "x${KEYFILE}" != "x" ]; then
   if ! $CRYPTSETUP luksOpen $DEVICE luks_crypto_$HAL_PROP_VOLUME_UUID --key-file $KEYFILE 2> /dev/null; then
    echo org.freedesktop.Hal.Device.Volume.Crypto.SetupPasswordError >&2
    echo "Error setting up $HAL_PROP_BLOCK_DEVICE - bad key-file?" >&2
    exit 1
   fi
else

read PASSWORD

if [ ! -f $CRYPTSETUP ]; then
    echo org.freedesktop.Hal.Device.Volume.Crypto.CryptSetupMissing >&2
    echo Error setting up $HAL_PROP_BLOCK_DEVICE - $CRYPTSETUP not found >&2
    exit 1
fi

if [ -e /dev/mapper/luks_crypto_$HAL_PROP_VOLUME_UUID ]; then
    echo org.freedesktop.Hal.Device.Volume.Crypto.SetupError >&2
    echo $HAL_PROP_BLOCK_DEVICE is already setup? >&2
    exit 1
fi

if ! echo "$PASSWORD" | $CRYPTSETUP luksOpen $HAL_PROP_BLOCK_DEVICE luks_crypto_$HAL_PROP_VOLUME_UUID 2> /dev/null; then
    echo org.freedesktop.Hal.Device.Volume.Crypto.SetupPasswordError >&2
    echo Error setting up $HAL_PROP_BLOCK_DEVICE - bad password? >&2
    exit 1
fi

fi

hal-set-property --udi=$UDI --key="info.callouts.remove" --strlist-pre="hal-luks-remove" > /dev/null 2>&1

exit 0