diff options
author | Tom Gundersen <teg@jklm.no> | 2012-06-28 01:55:40 +0200 |
---|---|---|
committer | Tom Gundersen <teg@jklm.no> | 2012-06-28 01:55:40 +0200 |
commit | 6fe21269e5d54c52c168eac40225dca12a79c355 (patch) | |
tree | afb6038d42c5d475cdcc429b5a3aff053c9eb915 | |
parent | 9f365dbf216f3d7a504928fc64dcdb5941ad449b (diff) | |
download | initscripts-6fe21269e5d54c52c168eac40225dca12a79c355.tar.xz |
cryptsetup: use systemd-cryptsetup rather than rolling our own
WORK IN PROGRESS; COMPLETELY UNTESTED!
In addition to supporting whatever systemd supports, we also support
all our own ways of specifying passphrases.
We have to look into how our "options" support differs from systemd's
and what we want to do about that.
Signed-off-by: Tom Gundersen <teg@jklm.no>
-rw-r--r-- | functions | 73 |
1 files changed, 18 insertions, 55 deletions
@@ -382,52 +382,21 @@ activate_vgs() { } do_unlock() { - # $1 = requested name - # $2 = source device - # $3 = password - # $4 = options - stat_append "${1}.." - local open=create a=$1 b=$2 failed=0 - # Ordering of options is different if you are using LUKS vs. not. - # Use ugly swizzling to deal with it. - # isLuks only gives an exit code but no output to stdout or stderr. - if cryptsetup isLuks "$2" 2>/dev/null; then - open=luksOpen - a=$2 - b=$1 + local name=$1 device=$2 password=$3 options=$4 fi case $3 in SWAP) - local _overwriteokay=0 - if [[ -b $2 && -r $2 ]]; then - # This is DANGEROUS! If there is any known file system, - # partition table, RAID or LVM volume on the device - # we don't overwrite it. - # - # 'blkid' returns 2 if no valid signature has been found. - # Only in this case we should allow overwriting the device. - # - # This sanity check _should_ be sufficient, but it might not. - # This may cause dataloss if it is not used carefully. - blkid -p "$2" &>/dev/null - (( $? == 2 )) && _overwriteokay=1 - fi - if (( _overwriteokay == 0 )); then - false - elif cryptsetup -d /dev/urandom $4 $open "$a" "$b" >/dev/null; then - stat_append "creating swapspace.." - mkswap -f -L $1 /dev/mapper/$1 >/dev/null - fi;; + $password="/dev/urandom" + $options+=",swap" ASK) - printf "\nOpening '$1' volume:\n" - cryptsetup $4 $open "$a" "$b" < /dev/console;; + $password="none" /dev*) local ckdev=${3%%:*} local cka=${3#*:} local ckb=${cka#*:} local cka=${cka%:*} - local ckfile=/dev/ckfile - local ckdir=/dev/ckdir + local ckfile=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX) + local ckdir=/run/initscripts-cryptsetup/drive case ${cka} in *[!0-9]*) # Use a file on the device @@ -442,36 +411,30 @@ do_unlock() { # cka is numeric: cka=offset, ckb=length dd if=${ckdev} of=${ckfile} bs=1 skip=${cka} count=${ckb} >/dev/null 2>&1;; esac - cryptsetup -d ${ckfile} $4 $open "$a" "$b" >/dev/null - dd if=/dev/urandom of=${ckfile} bs=1 count=$(stat -c %s ${ckfile}) conv=notrunc >/dev/null 2>&1 - rm ${ckfile};; + $password="${ckfile}" /*) - cryptsetup -d "$3" $4 $open "$a" "$b" >/dev/null;; *) printf "${C_FAIL}crypttab contains a literal encryption key. This will stop working in the future.${C_OTHER}\n" - echo "$3" | cryptsetup $4 $open "$a" "$b" >/dev/null;; + $password=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX) + echo "$3" > $password esac - if (( $? )); then - failed=1 - stat_append "failed " - else - stat_append "ok " - fi - return $failed + /usr/lib/systemd/systemd-cryptsetup $name $device $password $options & } read_crypttab() { # $1 = function to call with the split out line from the crypttab - local line nspo failed=0 + local line nspo failed + mkdir -p /run/initscripts-cryptsetup while read line; do [[ $line && $line != '#'* ]] || continue eval nspo=("${line%#*}") - if $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}"; then - crypto_unlocked=1 - else - failed=1 - fi + $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}" done < /etc/crypttab + systemd-tty-ask-password-agent --query --console + failed=$? + wait + shred /run/initsrcipts-cryptsetup/key* + rm -rf /run/initscripts-cryptsetup return $failed } |