If someone is using an encrypted root fs, and the laptop unintentionally turns
on, it would wait for the passphrase until the battery is empty (that's what
happened to me yesterday).

For this reason please let me suggest to add a timeout option into crypttab,
which will turn the system off if the passphrase (or the key) has not been
provided within the given period of time.

I've added a proof-of-concept patch to /usr/share/initramfs-tools/scripts/
local-top/cryptroot and /usr/lib/cryptsetup/functions which introduced this
feature.

I know that there is a similar report #509070 from 2008, but while that
reports suggests to skip the device for convenience reasons, my report is to
protecting the system's battery.

Best regards,

Roland

Just adding my two cents here, since Guilhem referenced that bug on the
mailing list:

a) How does a laptop turn on unintentionally? ;-)

b) Adding such feature (and enabling it by default) has IMO also some
dangers.

Consider that such a system would constantly be powered on
automatically (Wake-On-LAN or similar features of servers)... in such a
case, if cryptroot keyscript wouldn't finish in due time (e.g. because
no one enters the passphrase or so), it might end up in a
powerup/powerdown cycle... which is probably of no good for the
hardware.


Cheers,
Chris.

Hello Chris,

It happens from time to time on my Dell Latitude 9420. I've shut the system
down at evening and later (or the next morning) I saw that the display was on
and waiting for the passphrase. It even happened twice when it was stored in
my laptop case.  It seems that this problem is sporadically seen on Dell
laptops, maybe a hardware fault. But it could also happen on any other laptop
if you accidentally selected reboot instead of poweroff and closed the lid, or
if the laptop has a power-on-lid feature.

Well, then don't enable it for servers? The patch doesn't add a timeout by
default, only if defined in crypttab.

Best Regards,

Roland

I have modified the patches to work with Debian 12 Bookworm.

Most noticeable, the "poweroff" command must now be called with the parameter
"-f" to switch off the system while waiting for an input.

On Tue, 13 Jun 2023 12:43:28 +0200 Roland Tapken  <debian@tmp.dau-sicher.de> wrote:
 > I have modified the patches to work with Debian 12 Bookworm.
 >
 > Most noticeable, the "poweroff" command must now be called with the
parameter
 > "-f" to switch off the system while waiting for an input.


In case of initramfs using busybox (in my case, this could be due to the
ubuntu-based Pop!_OS - but i'm leaving the comment here because there
might be other possibilities for this to happen, i assume...):

`poweroff` is a built-in command and needs to be used as such (without
path "/usr/sbin/..." and without the "-f" switch).

Since there's no real way to vote for issues, I'd give this a +1. I'd
love to see something like this added to prevent the machine from just
setting at the decrypt prompt until the battery runs out.