dissect-tool: accept encryption password via $PASSWORD

2026-04-14 00:14:32 +09:00 · 2025-11-17 16:42:58 +01:00
parent d343a044a2
commit e30738c20c
2 changed files with 10 additions and 3 deletions
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -578,8 +578,8 @@ disk images with `--image=` or similar:
  environment variable to the build directory and you are set. This variable
  is only supported when systemd is compiled in developer mode.

-Various tools that read passwords from the TTY, such as `systemd-cryptenroll`
-and `homectl`:
+Various tools that read passwords from the TTY, such as `systemd-cryptenroll`,
+`systemd-dissect` and `homectl`:

 * `$PASSWORD` — takes a string: the literal password to use. If this
  environment variable is set it is used as password instead of prompting the
--- a/src/dissect/dissect.c
+++ b/src/dissect/dissect.c
@@ -2152,8 +2152,15 @@ static int run(int argc, char *argv[]) {
                                        return log_error_errno(r, "Failed to guess verity root hash: %m");

                                if (arg_action != ACTION_DISSECT) {
+                                        _cleanup_(erase_and_freep) char *envpw = NULL;
+
+                                        r = getenv_steal_erase("PASSWORD", &envpw);
+                                        if (r < 0)
+                                                return log_error_errno(r, "Failed to acquire password from environment: %m");
+
                                        r = dissected_image_decrypt_interactively(
-                                                        m, NULL,
+                                                        m,
+                                                        envpw,
                                                        &arg_verity_settings,
                                                        arg_image_policy,
                                                        arg_flags);