diff options
Diffstat (limited to 'source/a/cryptsetup')
-rwxr-xr-x | source/a/cryptsetup/cryptsetup.SlackBuild | 34 | ||||
-rw-r--r-- | source/a/cryptsetup/crypttab.5 | 83 | ||||
-rw-r--r-- | source/a/cryptsetup/rc.luks | 158 |
3 files changed, 209 insertions, 66 deletions
diff --git a/source/a/cryptsetup/cryptsetup.SlackBuild b/source/a/cryptsetup/cryptsetup.SlackBuild index fea2faf99..827aa8025 100755 --- a/source/a/cryptsetup/cryptsetup.SlackBuild +++ b/source/a/cryptsetup/cryptsetup.SlackBuild @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=cryptsetup VERSION=${VERSION:-$(echo $PKGNAM-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-2} +BUILD=${BUILD:-3} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -146,20 +146,24 @@ if [ -r ChangeLog ]; then touch -r ChangeLog $DOCSDIR/ChangeLog fi -# Compress and link manpages, if any: -if [ -d $PKG/usr/man ]; then - ( cd $PKG/usr/man - for manpagedir in $(find . -type d -name "man*") ; do - ( cd $manpagedir - for eachpage in $( find . -type l -maxdepth 1) ; do - ln -s $( readlink $eachpage ).gz $eachpage.gz - rm $eachpage - done - gzip -9 *.? - ) - done - ) -fi +# Copy Slackware's crypttab manpage to package: +mkdir -p $PKG/usr/man/man5 +cp -a $CWD/crypttab.5 $PKG/usr/man/man5/ +chown root:root $PKG/usr/man/man5/crypttab.5 +chmod 644 $PKG/usr/man/man5/crypttab.5 + +# Compress and link the manpages: +( cd $PKG/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1) ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.? + ) + done +) find $PKG | xargs file | grep -e "executable" -e "shared object" \ | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null diff --git a/source/a/cryptsetup/crypttab.5 b/source/a/cryptsetup/crypttab.5 new file mode 100644 index 000000000..bc4b95563 --- /dev/null +++ b/source/a/cryptsetup/crypttab.5 @@ -0,0 +1,83 @@ +.\" -*- nroff -*- +.ds g \" empty +.ds G \" empty +.\" Like TP, but if specified indent is more than half +.\" the current line-length - indent, use the default indent. +.de Tp +.ie \\n(.$=0:((0\\$1)*2u>(\\n(.lu-\\n(.iu)) .TP +.el .TP "\\$1" +.. +.TH CRYPTTAB 5 "28 Jun 2023" "Slackware Version 15.1" +.SH NAME +crypttab \- static information about LUKS volumes +.SH SYNOPSIS +.B /etc/crypttab +.SH DESCRIPTION +The file +.B crypttab +contains the information needed to open any volumes created by cryptsetup. +Although many distributions have a +.B crypttab +with similar syntax and options, the format described here is specific to +Slackware. + +Each volume to be opened is described on a separate line. Fields on each +line are separated by tabs or spaces. Lines starting with '#' are comments. +Blank lines are ignored. + +.B crypttab +follows the following format: + +.in +4 +<luks_name> <device> <password> <options> +.in +.SS The first field (luks_name) +This is the name of your LUKS volume. +For example: crypt-home +.SS The second field (device) +This is the device containing your LUKS volume. +For example: /dev/sda2 +.SS The third field (password) +This is either the volume password in plain text, or the name of a key +file. Use +.B none +to interactively enter password on boot. +.SS The fourth field (options) +Comma-separated list of options. Note that there must be a password field +for any options to be picked up (use a password of +.B none +to get a password prompt at boot). The following options are supported: +.sp +.B discard +.RS 4 +This will cause --allow-discards to be passed to cryptsetup program while +opening the LUKS volume. +.RE +.sp +.B ro +.RS 4 +This will cause --readonly to be passed to the cryptsetup program while +opening the LUKS volume. +.RE +.sp +.B swap +.RS 4 +This option cannot be used with other options. The device given will be +formatted as a new encrypted volume with a random key on boot, and used as +swap. +.RE +.sp +.B keyscript=<path/to/script> +.RS 4 +Get the password from named script's stdout. The only parameter sent to script +is the <password> field, but the script can ignore it. +.SH FILES +.sp +\fI/etc/crypttab\fP +.SH NOTES +.sp +Only LUKS formatted volumes are supported (except for swap). +.SH AUTHOR +Piter Punk <piterpunk@slackware.com> +.SH "SEE ALSO" +.BR cryptsetup(8) diff --git a/source/a/cryptsetup/rc.luks b/source/a/cryptsetup/rc.luks index 7125b6fed..9e85ceade 100644 --- a/source/a/cryptsetup/rc.luks +++ b/source/a/cryptsetup/rc.luks @@ -34,57 +34,113 @@ # ignore it. # -if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then - # First, check for device-mapper support. - if ! grep -wq device-mapper /proc/devices ; then - # If device-mapper exists as a module, try to load it. - # Try to load a device-mapper kernel module: - /sbin/modprobe -q dm-mod - fi - # NOTE: we only support LUKS formatted volumes (except for swap)! - # The input for this loop comes from after the "done" below, so that we can - # use fd3 and keep stdin functional for password entry or in case a keyscript - # requires it: - while read line <&3; do - eval LUKSARRAY=( $line ) - LUKS="${LUKSARRAY[0]}" - DEV="${LUKSARRAY[1]}" - PASS="${LUKSARRAY[2]}" - OPTS="${LUKSARRAY[3]}" - KEYSCRIPT="$(echo $OPTS | sed -n 's/.*keyscript=\([^,]*\).*/\1/p')" - LUKSOPTS="" - if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi - if echo $OPTS | grep -wq discard ; then LUKSOPTS="${LUKSOPTS} --allow-discards" ; fi - # Skip LUKS volumes that were already unlocked (in the initrd): - /sbin/cryptsetup status $LUKS 2>/dev/null | head -n 1 | grep -q "is active" && continue - if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then - if [ -z "${LUKSOPTS}" ]; then - echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV':" - else - echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV' with options '${LUKSOPTS}':" - fi - if [ -x "${KEYSCRIPT}" ]; then - # A password was outputted by a script - ${KEYSCRIPT} "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS - echo - elif [ -n "${PASS}" -a "${PASS}" != "none" ]; then - if [ -f "${PASS}" ]; then - # A password was given a key-file filename - /sbin/cryptsetup ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS +luks_start() { + if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then + # First, check for device-mapper support. + if ! grep -wq device-mapper /proc/devices ; then + # If device-mapper exists as a module, try to load it. + # Try to load a device-mapper kernel module: + /sbin/modprobe -q dm-mod + fi + # NOTE: we only support LUKS formatted volumes (except for swap)! + # The input for this loop comes from after the "done" below, so that we can + # use fd3 and keep stdin functional for password entry or in case a keyscript + # requires it: + while read line <&3; do + eval LUKSARRAY=( $line ) + LUKS="${LUKSARRAY[0]}" + DEV="${LUKSARRAY[1]}" + PASS="${LUKSARRAY[2]}" + OPTS="${LUKSARRAY[3]}" + KEYSCRIPT="$(echo $OPTS | sed -n 's/.*keyscript=\([^,]*\).*/\1/p')" + LUKSOPTS="" + if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi + if echo $OPTS | grep -wq discard ; then LUKSOPTS="${LUKSOPTS} --allow-discards" ; fi + # Skip LUKS volumes that were already unlocked (in the initrd): + /sbin/cryptsetup status $LUKS 2>/dev/null | head -n 1 | grep -q "is active" && continue + if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then + if [ -z "${LUKSOPTS}" ]; then + echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV':" else - # A password was provided in plain text - echo "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV' with options '${LUKSOPTS}':" fi - else - # No password was given, or a password of 'none' was given - /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + if [ -x "${KEYSCRIPT}" ]; then + # A password was outputted by a script + ${KEYSCRIPT} "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + echo + elif [ -n "${PASS}" -a "${PASS}" != "none" ]; then + if [ -f "${PASS}" ]; then + # A password was given a key-file filename + /sbin/cryptsetup ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS + else + # A password was provided in plain text + echo "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + fi + else + # No password was given, or a password of 'none' was given + /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + fi + elif echo $OPTS | grep -wq swap ; then + # If any of the volumes is to be used as encrypted swap, + # then encrypt it using a random key and run mkswap: + echo "Creating encrypted swap volume '${LUKS}' on device '$DEV':" + /sbin/cryptsetup --batch-mode --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV + mkswap /dev/mapper/$LUKS fi - elif echo $OPTS | grep -wq swap ; then - # If any of the volumes is to be used as encrypted swap, - # then encrypt it using a random key and run mkswap: - echo "Creating encrypted swap volume '${LUKS}' on device '$DEV':" - /sbin/cryptsetup --batch-mode --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV - mkswap /dev/mapper/$LUKS - fi - done 3< <(grep -vE '^(#|$)' /etc/crypttab) -fi + done 3< <(grep -vE '^(#|$)' /etc/crypttab) + fi +} + +luks_stop() { + # Close any volumes opened by cryptsetup: + if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then + cat /etc/crypttab | grep -v "^#" | grep -v "^$" | while read line; do + # NOTE: we only support LUKS formatted volumes (except for swap)! + LUKS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f1 -d' ') + DEV=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f2 -d' ') + OPTS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f4 -d' ') + if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then + echo "Locking LUKS crypt volume '${LUKS}':" + /sbin/cryptsetup luksClose ${LUKS} + elif echo $OPTS | grep -wq swap ; then + # If any of the volumes was used as encrypted swap, + # then run mkswap on the underlying device - + # in case other Linux installations on this computer should use it: + echo "Erasing encrypted swap '${LUKS}' and restoring normal swap on ${DEV}:" + /sbin/cryptsetup remove ${LUKS} + mkswap $DEV + fi + done + fi +} + +luks_status() { + if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then + RET=0 + while read line; do + # NOTE: we only support LUKS formatted volumes (except for swap)! + LUKS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f1 -d' ') + cryptsetup status $LUKS | grep 'active' + STATUS="${PIPESTATUS[0]}" + if [ "$STATUS" != "0" ]; then + RET=1 + fi + done < <(grep -vE '^(#|$)' /etc/crypttab) + return $RET + fi +} + +case $1 in + 'start') + luks_start + ;; + 'stop') + luks_stop + ;; + 'status') + luks_status + ;; + *) + echo "Usage $0 start|stop|status" + ;; +esac |