summaryrefslogtreecommitdiffstats
path: root/liveinit
diff options
context:
space:
mode:
author Eric Hameleers <alien@slackware.com>2016-01-22 15:15:17 +0100
committer Eric Hameleers <alien@slackware.com>2016-01-22 15:15:17 +0100
commitc4e4112bdc8aa5fe92d797ab77744d3bcd70caf9 (patch)
tree0ec836a54d4cf7eca147b887632e2583aad2680b /liveinit
parent1f94ea9542d4c54340e8b138d32c16f5c02a764e (diff)
downloadliveslak-c4e4112bdc8aa5fe92d797ab77744d3bcd70caf9.tar.gz
liveslak-c4e4112bdc8aa5fe92d797ab77744d3bcd70caf9.tar.xz
Add support for a LUKS-encrypted /home in the USB Live version.
Using iso2usb.sh script's new '-c' parameter, you can define the size for a container file in the root of the USB stick's Linux partition. - The container file will be loop-mounted and LUKS-encrypted and the Live OS will mount the filesystem inside the container on /home/. - The LUKS passphrase will be defined when executing the 'iso2usb.sh' script. - The original /home content of the ISO will be copied into the LUKS-encrypted container during execution of the 'iso2usb.sh' script. - If for whatever reason you do not want to unlock & mount the LUKS container during boot, you must add the boot parameter " luksvol= " to the syslinux or grub commandline.
Diffstat (limited to 'liveinit')
-rwxr-xr-xliveinit56
1 files changed, 56 insertions, 0 deletions
diff --git a/liveinit b/liveinit
index 6912d16..935495a 100755
--- a/liveinit
+++ b/liveinit
@@ -50,6 +50,7 @@ DEBUG=0
INITRD=$(cat /initrd-name)
WAIT=$(cat /wait-for-root)
KEYMAP=$(cat /keymap)
+LUKSVOL=$(cat /luksdev)
INIT=/sbin/init
PATH="/sbin:/bin:/usr/sbin:/usr/bin"
@@ -100,6 +101,10 @@ for ARG in $(cat /proc/cmdline); do
locale=*)
LOCALE=$(echo $ARG | cut -f2 -d=)
;;
+ luksvol=*)
+ # Format: luksvol=file1[:/mountpoint1][,file1[:/mountpoint2],...]
+ LUKSVOL=$(echo $ARG | cut -f2 -d=)
+ ;;
noload=*)
NOLOAD=$(echo $ARG | cut -f2 -d=)
;;
@@ -482,6 +487,57 @@ EOPW
# Copy contents of rootcopy directory (may be empty) to overlay:
cp -af /mnt/media/${LIVEMAIN}/rootcopy/* /mnt/overlay/ 2>/dev/null
+ # Bind any LUKS container into the Live filesystem:
+ if [ ! -z "$LUKSVOL" ]; then
+ # Even without persistence, we need to be able to write to the partition:
+ mount -o remount,rw /mnt/media
+ for luksvol in $(echo $LUKSVOL |tr ',' ' '); do
+ luksfil="$(echo $luksvol |cut -d: -f1)"
+ luksmnt="$(echo $luksvol |cut -d: -f2)"
+ luksnam="$(echo $(basename $luksfil) |tr '.' '_')"
+ if [ "$luksmnt" = "$luksfil" ]; then
+ # No optional mount point specified, so we use the default: /home/
+ luksmnt="/home"
+ fi
+
+ # The losetup of busybox is different from the real losetup - watch out!
+ lodev=$(losetup -f)
+ if [ -z "$lodev" ]; then
+ # We exhausted the available loop devices, so create the block device:
+ for NOD in $(seq 0 64); do
+ if [ ! -b /dev/loop${NOD} ]; then
+ mknod -m660 /dev/loop${NOD} b 7 ${NOD}
+ break
+ fi
+ done
+ lodev=/dev/loop${NOD}
+ elif [ ! -b $lodev ]; then
+ # We exhausted the available loop devices, so create the block device:
+ mknod -m660 $lodev b 7 $(echo $lodev |sed %/dev/loop%%)
+ fi
+ losetup $lodev /mnt/media/$luksfil
+ echo "Unlocking LUKS encrypted container '$luksfil' at mount point '$luksmnt'"
+ cryptsetup luksOpen $lodev $luksnam </dev/tty0 >/dev/tty0 2>&1
+ if [ $? -ne 0 ]; then
+ echo "${INITRD}: Failed to unlock LUKS container '$luksfil'... trouble ahead."
+ fi
+
+ # Create the directory if it does not exist (unlikely):
+ mkdir -p /mnt/overlay/$luksmnt
+
+ # Let Slackware mount the unlocked container:
+ luksfs=$(blkid /dev/mapper/$luksnam |rev |cut -d'"' -f2 |rev)
+ if ! grep -q /dev/mapper/$luksnam /mnt/overlay/etc/fstab ; then
+ echo "/dev/mapper/$luksnam $luksmnt $luksfs defaults 1 1" >> /mnt/overlay/etc/fstab
+ fi
+ # On shutdown, ensure that the container gets locked again:
+ if ! grep -q "$luksnam $luksmnt" /mnt/overlay/etc/crypttab ; then
+ echo "$luksnam $luksmnt" >> /mnt/overlay/etc/crypttab
+ fi
+
+ done
+ fi
+
# --------------------------------------------------------------------- #
# SLACKWARE LIVE - !END! #
# --------------------------------------------------------------------- #