From e30738c20c0651b2d4222f551047dea93c800f33 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 17 Nov 2025 16:42:58 +0100 Subject: [PATCH] dissect-tool: accept encryption password via $PASSWORD --- docs/ENVIRONMENT.md | 4 ++-- src/dissect/dissect.c | 9 ++++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md index 5732c217aaa..f2a7d25edbe 100644 --- a/docs/ENVIRONMENT.md +++ b/docs/ENVIRONMENT.md @@ -578,8 +578,8 @@ disk images with `--image=` or similar: environment variable to the build directory and you are set. This variable is only supported when systemd is compiled in developer mode. -Various tools that read passwords from the TTY, such as `systemd-cryptenroll` -and `homectl`: +Various tools that read passwords from the TTY, such as `systemd-cryptenroll`, +`systemd-dissect` and `homectl`: * `$PASSWORD` — takes a string: the literal password to use. If this environment variable is set it is used as password instead of prompting the diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c index 1a8fa52fce8..d244822c133 100644 --- a/src/dissect/dissect.c +++ b/src/dissect/dissect.c @@ -2152,8 +2152,15 @@ static int run(int argc, char *argv[]) { return log_error_errno(r, "Failed to guess verity root hash: %m"); if (arg_action != ACTION_DISSECT) { + _cleanup_(erase_and_freep) char *envpw = NULL; + + r = getenv_steal_erase("PASSWORD", &envpw); + if (r < 0) + return log_error_errno(r, "Failed to acquire password from environment: %m"); + r = dissected_image_decrypt_interactively( - m, NULL, + m, + envpw, &arg_verity_settings, arg_image_policy, arg_flags); -- 2.47.3