diff options
Diffstat (limited to '')
-rw-r--r-- | source/a/cryptsetup/rc.luks | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/source/a/cryptsetup/rc.luks b/source/a/cryptsetup/rc.luks new file mode 100644 index 000000000..243244969 --- /dev/null +++ b/source/a/cryptsetup/rc.luks @@ -0,0 +1,90 @@ +#!/bin/bash +# Open any volumes created by cryptsetup. +# +# Some notes on /etc/crypttab in Slackware: +# Only LUKS formatted volumes are supported (except for swap) +# crypttab follows the following format: +# <luks_name> <device> <password> <options> +# +# <luks_name>: This is the name of your LUKS volume. +# For example: crypt-home +# +# <device>: This is the device containing your LUKS volume. +# For example: /dev/sda2 +# +# <password>: This is either the volume password in plain text, or the name of +# a key file. Use 'none' to interactively enter password on boot. +# +# <options>: Comma-separated list of options. Note that there must be a +# password field for any options to be picked up (use a password of 'none' to +# get a password prompt at boot). The following options are supported: +# +# discard -- this will cause --allow-discards to be passed to the cryptsetup +# program while opening the LUKS volume. +# +# ro -- this will cause --readonly to be passed to the cryptsetup program while +# opening the LUKS volume. +# +# swap -- this option cannot be used with other options. The device given will +# be formatted as a new encrypted volume with a random key on boot, and used as +# swap. +# +# keyscript=<path/to/script> -- get the password from the named script's stdout. +# The only parameter sent to script is the <password> field, but the script can +# ignore it. +# + +if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then + # First, check for device-mapper support. + if ! grep -wq device-mapper /proc/devices ; then + # If device-mapper exists as a module, try to load it. + # Try to load a device-mapper kernel module: + /sbin/modprobe -q dm-mod + fi + # NOTE: we only support LUKS formatted volumes (except for swap)! + # The input for this loop comes from after the "done" below, so that we can + # use fd3 and keep stdin functional for password entry or in case a keyscript + # requires it: + while read line <&3; do + eval LUKSARRAY=( $line ) + LUKS="${LUKSARRAY[0]}" + DEV="${LUKSARRAY[1]}" + PASS="${LUKSARRAY[2]}" + OPTS="${LUKSARRAY[3]}" + KEYSCRIPT="$(echo $OPTS | sed -n 's/.*keyscript=\([^,]*\).*/\1/p')" + LUKSOPTS="" + if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi + if echo $OPTS | grep -wq discard ; then LUKSOPTS="${LUKSOPTS} --allow-discards" ; fi + # Skip LUKS volumes that were already unlocked (in the initrd): + /sbin/cryptsetup status $LUKS 2>/dev/null | head -n 1 | grep -q "is active" && continue + if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then + if [ -z "${LUKSOPTS}" ]; then + echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV':" + else + echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV' with options '${LUKSOPTS}':" + fi + if [ -x "${KEYSCRIPT}" ]; then + # A password was outputted by a script + ${KEYSCRIPT} "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + echo + elif [ -n "${PASS}" -a "${PASS}" != "none" ]; then + if [ -f "${PASS}" ]; then + # A password was given a key-file filename + /sbin/cryptsetup ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS + else + # A password was provided in plain text + echo "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + fi + else + # No password was given, or a password of 'none' was given + /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + fi + elif echo $OPTS | grep -wq swap ; then + # If any of the volumes is to be used as encrypted swap, + # then encrypt it using a random key and run mkswap: + echo "Creating encrypted swap volume '${LUKS}' on device '$DEV':" + /sbin/cryptsetup --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV + mkswap /dev/mapper/$LUKS + fi + done 3< <(grep -vE '^(#|$)' /etc/crypttab) +fi |