If you have encrypted your disk and you used clevis to automatically unlock the root partition (with TPM2), it’s very annoying still seeing the askpass banner asking you to enter the decrypt password.
As you know if you have used clevis, this banner is pointless since clevis already decrypt the disk for you automatically and after the decryption, the boot process continues.
This is how you can get rid of the banner in Ubuntu (easily adapted to any other distros, just update where are the binaries of lsblk and blkid), while, in case the automatic decryption fails, it will ask you for the password to continue with the decryption of your disk through askpass again.
Run the following command in a shell:
sudo cat <<"EOF" > /lib/cryptsetup/scripts/clevis_decrypt
#!/bin/bash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin"
export UUID=$(lsblk -f | grep crypto | grep -v mmc| awk {'print $3'})
export CRYPTTAB_SOURCE=$(blkid --uuid $UUID)
set -e
if [ $CRYPTTAB_TRIED -ge 1 ]; then
/lib/cryptsetup/askpass "Please, write the encryption key or contact IBA IS to decrypt $CRYPTTAB_SOURCE ($CRYPTTAB_NAME): "
else
cryptsetup luksDump "$CRYPTTAB_SOURCE" | sed -rn 's|^\s+([0-9]+): clevis|\1|p' | while read -r id; do
# jose jwe fmt -c outputs extra \n, so clean it up
cte=$(cryptsetup token export --token-id "$id" "$CRYPTTAB_SOURCE")
[ $? -eq 0 ] || continue
josefmt=$(echo "${cte}" | jose fmt -j- -Og jwe -o-)
[ $? -eq 0 ] || continue
josejwe=$(echo "${josefmt}" | jose jwe fmt -i- -c)
[ $? -eq 0 ] || continue
jwe=$(echo "${josejwe}" | tr -d '\n')
[ $? -eq 0 ] || continue
decrypted=$(echo -n "${jwe}" | clevis decrypt 2>/dev/null)
[ $? -eq 0 ] || continue
# Fail safe
[ "$decrypted" != "" ] || continue
echo -n "${decrypted}"
done
fi
EOFthen set the correct permissions of the script:
sudo chmod 755 /lib/cryptsetup/scripts/clevis_decryptWe need lsblk binary installed for this script to propery work, hence, we add the binary in the initramfs with:
sudo cat << EOF >> /usr/share/initramfs-tools/hooks/clevis_decrypt
die() {
code="$1"
msg="$2"
echo " (ERROR): $msg" >&2
exit $1
}
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/bin/lsblk || die 1 "/usr/bin/lsblk not found"
EOFSet the correct permissions with:
sudo chmod 755 /usr/share/initramfs-tools/hooks/clevis_decryptLast change is the update of the crypttab file, by changing the discard with our script (backup! backup! backup!)
sudo cp /etc/crypttab /etc/crypttab.bkp
sudo sed -i 's/discard/keyscript=\/lib\/cryptsetup\/scripts\/clevis_IBA/' /etc/crypttabLast step, we update our initrd to include the automated scripts:
sudo update-initramfs -u
lsinitramfs /boot/initrd.img | egrep 'lsblk|clevis_decrypt'Now, reboot your system and you will see how the banner has disappeared and how clevis automatically decrypt your disk without annoying banners, while in case the automatic decryption fails, will ask you for the password to properly boot your system.