I use USB Yubikey for encryption. But if I connect the key to USB-docking station, the USB detection gets slow. The "try_nokey" state with password is entered before the USB detection appears.

I tried the change from this PR using gentoo's /etc/portage/patches, but did not seen any difference.

Can you please check if your adjustments can fix my issue? I miss the delay in loop All 5 attempts appears in less then 1 second without delays. Often the key is detected at 3 or 4 attempt and it does work, so it is not general issue.

My /etc/ugrd/config.toml is

modules = [
  "ugrd.crypto.smartcard",
]

mount_retries = 5  # Retry mounting the rootfs 5 times, if unset, it will retry indefinitely

sc_public_key = "/root/.gnupg/public.gpg"

[mounts.boot]
type = "vfat"
path = "/dev/nvme0n1p1"

[cryptsetup.crypt_disk]
uuid = "my-disk-uuid"

key_type = "gpg"
key_file = "/boot/key.bin.gpg"
try_nokey = true

I use USB Yubikey for encryption. But if I connect the key to USB-docking station, the USB detection gets slow. The "try_nokey" state with password is entered before the USB detection appears.

I tried the change from this PR using gentoo's /etc/portage/patches, but did not seen any difference.

Can you please check if your adjustments can fix my issue? I miss the delay in loop All 5 attempts appears in less then 1 second without delays. Often the key is detected at 3 or 4 attempt and it does work, so it is not general issue.

My /etc/ugrd/config.toml is

modules = [
  "ugrd.crypto.smartcard",
]

mount_retries = 5  # Retry mounting the rootfs 5 times, if unset, it will retry indefinitely

sc_public_key = "/root/.gnupg/public.gpg"

[mounts.boot]
type = "vfat"
path = "/dev/nvme0n1p1"

[cryptsetup.crypt_disk]
uuid = "my-disk-uuid"

key_type = "gpg"
key_file = "/boot/key.bin.gpg"
try_nokey = true

Thanks for testing this

Can you share the /etc/profile of the generated image (for the initramfs, not the system)? That is a good way to ensure the patches are being properly applied.

https://github.com/desultory/ugrd/pull/304/files#diff-f8b554e424c1cd36dc3767b5aeed12ca4acf989bf90393b1a22efc93f89f7850R441

I think this patch defaults to 3 tries, 3 seconds. It could be updated to use a mechanism similar to this:
https://github.com/desultory/ugrd/blob/2.0.0_pre_r2/src/ugrd/fs/mounts.py#L881-L884

It could make sense to just have it loop endlessly, until the user presses a key, prompting to use a plain password. The main real advantage to a timer which is tuned to the speed of your device is you see less log noise, if it retries 1/s until "broken", then that should be reasonably fast.

I think your issue is not related to mounting, but the yubikey being slow. The issue is that GPG has to attempt to use a key to query the device. If this fails, that particular attempt fails, and it retries immediately.

I think what you want is this disabled:
https://github.com/desultory/ugrd/blob/2.0.0_pre_r2/src/ugrd/crypto/cryptsetup.toml#L6

That should make you have to press a key to retry. It says space but I think any key will work. This was the old default, but it annoyed many people

Also if you're on a more recent version, you can use auto_mounts = ['/boot'] instead of manually defining that /boot mount block

My generated profile is
profile.txt

My preferred solution is: If "try_nokey" ask me for password, I can confirm it with "Enter". Then the gpg should try again to access the Yubikey. Currently, if I press enter or wrong password, the ugrd does not try gpg anymore but ask me for password again.

Try to disable cryptsetup_autoretry now

My generated profile is profile.txt

My preferred solution is: If "try_nokey" ask me for password, I can confirm it with "Enter". Then the gpg should try again to access the Yubikey. Currently, if I press enter or wrong password, the ugrd does not try gpg anymore but ask me for password again.

Try to disable cryptsetup_autoretry now

disabling the autoretry should make it attempt gpg once, fail, and then you can wait until the device is online, press enter, and it should be able to use it.

I added

cryptsetup_retries = 3
cryptsetup_autoretry = false

to my config.toml. Now the retries are 3 times only, but there is no ask for "Press space to retry".

For unknown reason the cryptsetup_autoretry = false does not work

EDIT: As you see in screenshot I miss non-gpg messages / warnings like
Failed to run key command: gpg --decrypt /boot/key.bin.gpg
or ewarn "($i/$retries) Failed to open cryptsetup device: crypt_disk"

I added

cryptsetup_retries = 3
cryptsetup_autoretry = false

to my config.toml. Now the retries are 3 times only, but there is no ask for "Press space to retry".

For unknown reason the cryptsetup_autoretry = false does not work

EDIT: As you see in screenshot I miss non-gpg messages / warnings like Failed to run key command: gpg --decrypt /boot/key.bin.gpg or ewarn "($i/$retries) Failed to open cryptsetup device: crypt_disk"

I just remembered the smartcard module automatically disables the autoretry mechanism, so it should prompt for input before attempting again.

I see the issue now, I updated the placement of some rd_fail stuff, and need to add another check specifically for this, thanks for finding this, i should have a pr ready real soon

This should fix your issue:
#308

this should make it actually check for space properly:
#309

Thank you! Installed =sys-kernel/ugrd-9999 now, and now I am able to enter PIN after the space button, if the first attempt fails.