Skip loading already loaded key

Don't ask for the password / try to load the key if the key for the encryptionroot is already loaded. The user might have loaded the key manually or by other means before the scripts get called. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Tom Caputi <tcaputi@datto.com> Reviewed-by: Richard Laager <rlaager@wiktel.com> Signed-off-by: Witaut Bajaryn <vitaut.bayaryn@gmail.com> Closes #9495 Closes #9529
openzfs · Nov 8, 2019 · 6c7023a · 6c7023a
1 parent 734de7c
commit 6c7023a
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 5 deletions.
diff --git a/contrib/dracut/90zfs/mount-zfs.sh.in b/contrib/dracut/90zfs/mount-zfs.sh.in
@@ -62,11 +62,15 @@ if import_pool "${ZFS_POOL}" ; then
 		# if the root dataset has encryption enabled
 		ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${ZFS_DATASET}")"
 		if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
-			# decrypt them
-			ask_for_password \
-				--tries 5 \
-				--prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}: " \
-				--cmd "zfs load-key '${ENCRYPTIONROOT}'"
+			KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
+			# if the key needs to be loaded
+			if [ "$KEYSTATUS" = "unavailable" ]; then
+				# decrypt them
+				ask_for_password \
+					--tries 5 \
+					--prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}: " \
+					--cmd "zfs load-key '${ENCRYPTIONROOT}'"
+			fi
 		fi
 	fi
 	# Let us tell the initrd to run on shutdown.

diff --git a/contrib/dracut/90zfs/zfs-load-key.sh.in b/contrib/dracut/90zfs/zfs-load-key.sh.in
@@ -38,6 +38,9 @@ if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{prin
     # if the root dataset has encryption enabled
     ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
     if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
+        KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
+        # continue only if the key needs to be loaded
+        [ "$KEYSTATUS" = "unavailable" ] || exit 0
         # decrypt them
         TRY_COUNT=5
         while [ $TRY_COUNT -gt 0 ]; do

diff --git a/contrib/initramfs/scripts/zfs.in b/contrib/initramfs/scripts/zfs.in
@@ -414,6 +414,9 @@ decrypt_fs()
 
 		# If root dataset is encrypted...
 		if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
+			KEYSTATUS="$(${ZFS} get -H -o value keystatus "${ENCRYPTIONROOT}")"
+			# Continue only if the key needs to be loaded
+			[ "$KEYSTATUS" = "unavailable" ] || return 0
 			TRY_COUNT=3
 			# Prompt with plymouth, if active
 			if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then

diff --git a/etc/systemd/system-generators/zfs-mount-generator.in b/etc/systemd/system-generators/zfs-mount-generator.in
@@ -182,6 +182,8 @@ process_line() {
         keyloadcmd="@sbindir@/zfs load-key '${dataset}'"
       elif [ "${p_keyloc}" = "prompt" ] ; then
         keyloadcmd="sh -c 'set -eu;"\
+"keystatus=\"\$\$(@sbindir@/zfs get -H -o value keystatus \"${dataset}\")\";"\
+"[ \"\$\$keystatus\" = \"unavailable\" ] || exit 0;"\
 "count=0;"\
 "while [ \$\$count -lt 3 ];do"\
 "  systemd-ask-password --id=\"zfs:${dataset}\""\