aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Gundersen <teg@jklm.no>2012-06-28 01:55:40 +0200
committerTom Gundersen <teg@jklm.no>2012-06-28 01:55:40 +0200
commit6fe21269e5d54c52c168eac40225dca12a79c355 (patch)
treeafb6038d42c5d475cdcc429b5a3aff053c9eb915
parent9f365dbf216f3d7a504928fc64dcdb5941ad449b (diff)
downloadinitscripts-6fe21269e5d54c52c168eac40225dca12a79c355.tar.xz
cryptsetup: use systemd-cryptsetup rather than rolling our own
WORK IN PROGRESS; COMPLETELY UNTESTED! In addition to supporting whatever systemd supports, we also support all our own ways of specifying passphrases. We have to look into how our "options" support differs from systemd's and what we want to do about that. Signed-off-by: Tom Gundersen <teg@jklm.no>
-rw-r--r--functions73
1 files changed, 18 insertions, 55 deletions
diff --git a/functions b/functions
index 000cd60..d8fdb34 100644
--- a/functions
+++ b/functions
@@ -382,52 +382,21 @@ activate_vgs() {
}
do_unlock() {
- # $1 = requested name
- # $2 = source device
- # $3 = password
- # $4 = options
- stat_append "${1}.."
- local open=create a=$1 b=$2 failed=0
- # Ordering of options is different if you are using LUKS vs. not.
- # Use ugly swizzling to deal with it.
- # isLuks only gives an exit code but no output to stdout or stderr.
- if cryptsetup isLuks "$2" 2>/dev/null; then
- open=luksOpen
- a=$2
- b=$1
+ local name=$1 device=$2 password=$3 options=$4
fi
case $3 in
SWAP)
- local _overwriteokay=0
- if [[ -b $2 && -r $2 ]]; then
- # This is DANGEROUS! If there is any known file system,
- # partition table, RAID or LVM volume on the device
- # we don't overwrite it.
- #
- # 'blkid' returns 2 if no valid signature has been found.
- # Only in this case we should allow overwriting the device.
- #
- # This sanity check _should_ be sufficient, but it might not.
- # This may cause dataloss if it is not used carefully.
- blkid -p "$2" &>/dev/null
- (( $? == 2 )) && _overwriteokay=1
- fi
- if (( _overwriteokay == 0 )); then
- false
- elif cryptsetup -d /dev/urandom $4 $open "$a" "$b" >/dev/null; then
- stat_append "creating swapspace.."
- mkswap -f -L $1 /dev/mapper/$1 >/dev/null
- fi;;
+ $password="/dev/urandom"
+ $options+=",swap"
ASK)
- printf "\nOpening '$1' volume:\n"
- cryptsetup $4 $open "$a" "$b" < /dev/console;;
+ $password="none"
/dev*)
local ckdev=${3%%:*}
local cka=${3#*:}
local ckb=${cka#*:}
local cka=${cka%:*}
- local ckfile=/dev/ckfile
- local ckdir=/dev/ckdir
+ local ckfile=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX)
+ local ckdir=/run/initscripts-cryptsetup/drive
case ${cka} in
*[!0-9]*)
# Use a file on the device
@@ -442,36 +411,30 @@ do_unlock() {
# cka is numeric: cka=offset, ckb=length
dd if=${ckdev} of=${ckfile} bs=1 skip=${cka} count=${ckb} >/dev/null 2>&1;;
esac
- cryptsetup -d ${ckfile} $4 $open "$a" "$b" >/dev/null
- dd if=/dev/urandom of=${ckfile} bs=1 count=$(stat -c %s ${ckfile}) conv=notrunc >/dev/null 2>&1
- rm ${ckfile};;
+ $password="${ckfile}"
/*)
- cryptsetup -d "$3" $4 $open "$a" "$b" >/dev/null;;
*)
printf "${C_FAIL}crypttab contains a literal encryption key. This will stop working in the future.${C_OTHER}\n"
- echo "$3" | cryptsetup $4 $open "$a" "$b" >/dev/null;;
+ $password=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX)
+ echo "$3" > $password
esac
- if (( $? )); then
- failed=1
- stat_append "failed "
- else
- stat_append "ok "
- fi
- return $failed
+ /usr/lib/systemd/systemd-cryptsetup $name $device $password $options &
}
read_crypttab() {
# $1 = function to call with the split out line from the crypttab
- local line nspo failed=0
+ local line nspo failed
+ mkdir -p /run/initscripts-cryptsetup
while read line; do
[[ $line && $line != '#'* ]] || continue
eval nspo=("${line%#*}")
- if $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}"; then
- crypto_unlocked=1
- else
- failed=1
- fi
+ $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}"
done < /etc/crypttab
+ systemd-tty-ask-password-agent --query --console
+ failed=$?
+ wait
+ shred /run/initsrcipts-cryptsetup/key*
+ rm -rf /run/initscripts-cryptsetup
return $failed
}