I just tested your script on my L5 with my external SmartCardReader
I had to hardcode ROOT_LUKS = ‘crypt_root’
Then the script run fine when I executed it as root.
I connected my external SmartCardReader already before pressing the power button and I could unlock it. Also when I inserted it some seconds after pressing the power button.
If I enter the wrong key for my smartcard reader the decryption fails and I have to restart my Librem5.
If I just wait without the smartcard reader and enter the wrong LUKS password, I have to wait 90 seconds for my next try.
If I then enter the correct LUKS password it decrypts successful.
Optimization points would be:
1.) ROOT_LUKS should be ‘crypt_root’ for Librem5
Others would just improve the user experience
2.) When it waits for the smartcard it would be good if some hint is displayed.
3.) If the smartcard operation fails, the user should get the option to try it once more.
4.) If no smartcard reader was inserted and the user enters the wrong password, it should get another chance without waiting for a new timeout.
My integrated smartcard reader is not probably working, so I could not test it with it.