diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2023-07-08 19:46:10 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2023-07-08 22:31:26 +0200 |
commit | a59816a829a8276341c1053a594715c234b3b64b (patch) | |
tree | f7bb1d36865df7136104bb279ff50f6ffb3ce5ef /source/a/cryptsetup/rc.luks | |
parent | 6327fc766efc96c6bd10e39529150d36f9962e05 (diff) | |
download | current-a59816a829a8276341c1053a594715c234b3b64b.tar.gz current-a59816a829a8276341c1053a594715c234b3b64b.tar.xz |
Sat Jul 8 19:46:10 UTC 202320230708194610
a/cryptsetup-2.6.1-x86_64-3.txz: Rebuilt.
rc.luks: support start/stop/status.
Add a manpage for crypttab.
Thanks to PiterPunk.
a/sysvinit-scripts-15.1-noarch-6.txz: Rebuilt.
rc.M: call "rc.luks start" to unlock any volumes that are still locked.
rc.6: call "rc.luks stop" to close volumes at shutdown.
Thanks to PiterPunk.
kde/attica-5.108.0-x86_64-1.txz: Upgraded.
kde/baloo-5.108.0-x86_64-1.txz: Upgraded.
kde/bluez-qt-5.108.0-x86_64-1.txz: Upgraded.
kde/breeze-icons-5.108.0-noarch-1.txz: Upgraded.
kde/extra-cmake-modules-5.108.0-x86_64-1.txz: Upgraded.
kde/frameworkintegration-5.108.0-x86_64-1.txz: Upgraded.
kde/kactivities-5.108.0-x86_64-1.txz: Upgraded.
kde/kactivities-stats-5.108.0-x86_64-1.txz: Upgraded.
kde/kapidox-5.108.0-x86_64-1.txz: Upgraded.
kde/karchive-5.108.0-x86_64-1.txz: Upgraded.
kde/kauth-5.108.0-x86_64-1.txz: Upgraded.
kde/kbookmarks-5.108.0-x86_64-1.txz: Upgraded.
kde/kcalendarcore-5.108.0-x86_64-1.txz: Upgraded.
kde/kcmutils-5.108.0-x86_64-1.txz: Upgraded.
kde/kcodecs-5.108.0-x86_64-1.txz: Upgraded.
kde/kcompletion-5.108.0-x86_64-1.txz: Upgraded.
kde/kconfig-5.108.0-x86_64-1.txz: Upgraded.
kde/kconfigwidgets-5.108.0-x86_64-1.txz: Upgraded.
kde/kcontacts-5.108.0-x86_64-1.txz: Upgraded.
kde/kcoreaddons-5.108.0-x86_64-1.txz: Upgraded.
kde/kcrash-5.108.0-x86_64-1.txz: Upgraded.
kde/kdav-5.108.0-x86_64-1.txz: Upgraded.
kde/kdbusaddons-5.108.0-x86_64-1.txz: Upgraded.
kde/kdeclarative-5.108.0-x86_64-1.txz: Upgraded.
kde/kded-5.108.0-x86_64-1.txz: Upgraded.
kde/kdelibs4support-5.108.0-x86_64-1.txz: Upgraded.
kde/kdesignerplugin-5.108.0-x86_64-1.txz: Upgraded.
kde/kdesu-5.108.0-x86_64-1.txz: Upgraded.
kde/kdewebkit-5.108.0-x86_64-1.txz: Upgraded.
kde/kdnssd-5.108.0-x86_64-1.txz: Upgraded.
kde/kdoctools-5.108.0-x86_64-1.txz: Upgraded.
kde/kemoticons-5.108.0-x86_64-1.txz: Upgraded.
kde/kfilemetadata-5.108.0-x86_64-1.txz: Upgraded.
kde/kglobalaccel-5.108.0-x86_64-1.txz: Upgraded.
kde/kguiaddons-5.108.0-x86_64-1.txz: Upgraded.
kde/kholidays-5.108.0-x86_64-1.txz: Upgraded.
kde/khtml-5.108.0-x86_64-1.txz: Upgraded.
kde/ki18n-5.108.0-x86_64-1.txz: Upgraded.
kde/kiconthemes-5.108.0-x86_64-1.txz: Upgraded.
kde/kidletime-5.108.0-x86_64-1.txz: Upgraded.
kde/kimageformats-5.108.0-x86_64-1.txz: Upgraded.
kde/kinit-5.108.0-x86_64-1.txz: Upgraded.
kde/kio-5.108.0-x86_64-1.txz: Upgraded.
kde/kirigami2-5.108.0-x86_64-1.txz: Upgraded.
kde/kitemmodels-5.108.0-x86_64-1.txz: Upgraded.
kde/kitemviews-5.108.0-x86_64-1.txz: Upgraded.
kde/kjobwidgets-5.108.0-x86_64-1.txz: Upgraded.
kde/kjs-5.108.0-x86_64-1.txz: Upgraded.
kde/kjsembed-5.108.0-x86_64-1.txz: Upgraded.
kde/kmediaplayer-5.108.0-x86_64-1.txz: Upgraded.
kde/knewstuff-5.108.0-x86_64-1.txz: Upgraded.
kde/knotifications-5.108.0-x86_64-1.txz: Upgraded.
kde/knotifyconfig-5.108.0-x86_64-1.txz: Upgraded.
kde/kpackage-5.108.0-x86_64-1.txz: Upgraded.
kde/kparts-5.108.0-x86_64-1.txz: Upgraded.
kde/kpeople-5.108.0-x86_64-1.txz: Upgraded.
kde/kplotting-5.108.0-x86_64-1.txz: Upgraded.
kde/kpty-5.108.0-x86_64-1.txz: Upgraded.
kde/kquickcharts-5.108.0-x86_64-1.txz: Upgraded.
kde/kross-5.108.0-x86_64-1.txz: Upgraded.
kde/krunner-5.108.0-x86_64-1.txz: Upgraded.
kde/kservice-5.108.0-x86_64-1.txz: Upgraded.
kde/ktexteditor-5.108.0-x86_64-1.txz: Upgraded.
kde/ktextwidgets-5.108.0-x86_64-1.txz: Upgraded.
kde/kunitconversion-5.108.0-x86_64-1.txz: Upgraded.
kde/kwallet-5.108.0-x86_64-1.txz: Upgraded.
kde/kwayland-5.108.0-x86_64-1.txz: Upgraded.
kde/kwidgetsaddons-5.108.0-x86_64-1.txz: Upgraded.
kde/kwindowsystem-5.108.0-x86_64-1.txz: Upgraded.
kde/kxmlgui-5.108.0-x86_64-1.txz: Upgraded.
kde/kxmlrpcclient-5.108.0-x86_64-1.txz: Upgraded.
kde/modemmanager-qt-5.108.0-x86_64-1.txz: Upgraded.
kde/networkmanager-qt-5.108.0-x86_64-1.txz: Upgraded.
kde/oxygen-icons5-5.108.0-noarch-1.txz: Upgraded.
kde/plasma-framework-5.108.0-x86_64-1.txz: Upgraded.
kde/prison-5.108.0-x86_64-1.txz: Upgraded.
kde/purpose-5.108.0-x86_64-1.txz: Upgraded.
kde/qqc2-desktop-style-5.108.0-x86_64-1.txz: Upgraded.
kde/solid-5.108.0-x86_64-1.txz: Upgraded.
kde/sonnet-5.108.0-x86_64-1.txz: Upgraded.
kde/syndication-5.108.0-x86_64-1.txz: Upgraded.
kde/syntax-highlighting-5.108.0-x86_64-1.txz: Upgraded.
kde/threadweaver-5.108.0-x86_64-1.txz: Upgraded.
xap/rxvt-unicode-9.26-x86_64-7.txz: Rebuilt.
Applied upstream patch to fix special character rendering when rxvt-unicode
is built against perl-5.38.0. Thanks to pghvlaans.
Diffstat (limited to 'source/a/cryptsetup/rc.luks')
-rw-r--r-- | source/a/cryptsetup/rc.luks | 158 |
1 files changed, 107 insertions, 51 deletions
diff --git a/source/a/cryptsetup/rc.luks b/source/a/cryptsetup/rc.luks index 7125b6fed..9e85ceade 100644 --- a/source/a/cryptsetup/rc.luks +++ b/source/a/cryptsetup/rc.luks @@ -34,57 +34,113 @@ # ignore it. # -if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then - # First, check for device-mapper support. - if ! grep -wq device-mapper /proc/devices ; then - # If device-mapper exists as a module, try to load it. - # Try to load a device-mapper kernel module: - /sbin/modprobe -q dm-mod - fi - # NOTE: we only support LUKS formatted volumes (except for swap)! - # The input for this loop comes from after the "done" below, so that we can - # use fd3 and keep stdin functional for password entry or in case a keyscript - # requires it: - while read line <&3; do - eval LUKSARRAY=( $line ) - LUKS="${LUKSARRAY[0]}" - DEV="${LUKSARRAY[1]}" - PASS="${LUKSARRAY[2]}" - OPTS="${LUKSARRAY[3]}" - KEYSCRIPT="$(echo $OPTS | sed -n 's/.*keyscript=\([^,]*\).*/\1/p')" - LUKSOPTS="" - if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi - if echo $OPTS | grep -wq discard ; then LUKSOPTS="${LUKSOPTS} --allow-discards" ; fi - # Skip LUKS volumes that were already unlocked (in the initrd): - /sbin/cryptsetup status $LUKS 2>/dev/null | head -n 1 | grep -q "is active" && continue - if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then - if [ -z "${LUKSOPTS}" ]; then - echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV':" - else - echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV' with options '${LUKSOPTS}':" - fi - if [ -x "${KEYSCRIPT}" ]; then - # A password was outputted by a script - ${KEYSCRIPT} "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS - echo - elif [ -n "${PASS}" -a "${PASS}" != "none" ]; then - if [ -f "${PASS}" ]; then - # A password was given a key-file filename - /sbin/cryptsetup ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS +luks_start() { + if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then + # First, check for device-mapper support. + if ! grep -wq device-mapper /proc/devices ; then + # If device-mapper exists as a module, try to load it. + # Try to load a device-mapper kernel module: + /sbin/modprobe -q dm-mod + fi + # NOTE: we only support LUKS formatted volumes (except for swap)! + # The input for this loop comes from after the "done" below, so that we can + # use fd3 and keep stdin functional for password entry or in case a keyscript + # requires it: + while read line <&3; do + eval LUKSARRAY=( $line ) + LUKS="${LUKSARRAY[0]}" + DEV="${LUKSARRAY[1]}" + PASS="${LUKSARRAY[2]}" + OPTS="${LUKSARRAY[3]}" + KEYSCRIPT="$(echo $OPTS | sed -n 's/.*keyscript=\([^,]*\).*/\1/p')" + LUKSOPTS="" + if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi + if echo $OPTS | grep -wq discard ; then LUKSOPTS="${LUKSOPTS} --allow-discards" ; fi + # Skip LUKS volumes that were already unlocked (in the initrd): + /sbin/cryptsetup status $LUKS 2>/dev/null | head -n 1 | grep -q "is active" && continue + if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then + if [ -z "${LUKSOPTS}" ]; then + echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV':" else - # A password was provided in plain text - echo "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV' with options '${LUKSOPTS}':" fi - else - # No password was given, or a password of 'none' was given - /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + if [ -x "${KEYSCRIPT}" ]; then + # A password was outputted by a script + ${KEYSCRIPT} "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + echo + elif [ -n "${PASS}" -a "${PASS}" != "none" ]; then + if [ -f "${PASS}" ]; then + # A password was given a key-file filename + /sbin/cryptsetup ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS + else + # A password was provided in plain text + echo "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + fi + else + # No password was given, or a password of 'none' was given + /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + fi + elif echo $OPTS | grep -wq swap ; then + # If any of the volumes is to be used as encrypted swap, + # then encrypt it using a random key and run mkswap: + echo "Creating encrypted swap volume '${LUKS}' on device '$DEV':" + /sbin/cryptsetup --batch-mode --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV + mkswap /dev/mapper/$LUKS fi - elif echo $OPTS | grep -wq swap ; then - # If any of the volumes is to be used as encrypted swap, - # then encrypt it using a random key and run mkswap: - echo "Creating encrypted swap volume '${LUKS}' on device '$DEV':" - /sbin/cryptsetup --batch-mode --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV - mkswap /dev/mapper/$LUKS - fi - done 3< <(grep -vE '^(#|$)' /etc/crypttab) -fi + done 3< <(grep -vE '^(#|$)' /etc/crypttab) + fi +} + +luks_stop() { + # Close any volumes opened by cryptsetup: + if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then + cat /etc/crypttab | grep -v "^#" | grep -v "^$" | while read line; do + # NOTE: we only support LUKS formatted volumes (except for swap)! + LUKS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f1 -d' ') + DEV=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f2 -d' ') + OPTS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f4 -d' ') + if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then + echo "Locking LUKS crypt volume '${LUKS}':" + /sbin/cryptsetup luksClose ${LUKS} + elif echo $OPTS | grep -wq swap ; then + # If any of the volumes was used as encrypted swap, + # then run mkswap on the underlying device - + # in case other Linux installations on this computer should use it: + echo "Erasing encrypted swap '${LUKS}' and restoring normal swap on ${DEV}:" + /sbin/cryptsetup remove ${LUKS} + mkswap $DEV + fi + done + fi +} + +luks_status() { + if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then + RET=0 + while read line; do + # NOTE: we only support LUKS formatted volumes (except for swap)! + LUKS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f1 -d' ') + cryptsetup status $LUKS | grep 'active' + STATUS="${PIPESTATUS[0]}" + if [ "$STATUS" != "0" ]; then + RET=1 + fi + done < <(grep -vE '^(#|$)' /etc/crypttab) + return $RET + fi +} + +case $1 in + 'start') + luks_start + ;; + 'stop') + luks_stop + ;; + 'status') + luks_status + ;; + *) + echo "Usage $0 start|stop|status" + ;; +esac |