aboutsummaryrefslogtreecommitdiff
path: root/functions
diff options
context:
space:
mode:
Diffstat (limited to 'functions')
-rw-r--r--functions73
1 files changed, 55 insertions, 18 deletions
diff --git a/functions b/functions
index d8fdb34..000cd60 100644
--- a/functions
+++ b/functions
@@ -382,21 +382,52 @@ activate_vgs() {
}
do_unlock() {
- local name=$1 device=$2 password=$3 options=$4
+ # $1 = requested name
+ # $2 = source device
+ # $3 = password
+ # $4 = options
+ stat_append "${1}.."
+ local open=create a=$1 b=$2 failed=0
+ # Ordering of options is different if you are using LUKS vs. not.
+ # Use ugly swizzling to deal with it.
+ # isLuks only gives an exit code but no output to stdout or stderr.
+ if cryptsetup isLuks "$2" 2>/dev/null; then
+ open=luksOpen
+ a=$2
+ b=$1
fi
case $3 in
SWAP)
- $password="/dev/urandom"
- $options+=",swap"
+ local _overwriteokay=0
+ if [[ -b $2 && -r $2 ]]; then
+ # This is DANGEROUS! If there is any known file system,
+ # partition table, RAID or LVM volume on the device
+ # we don't overwrite it.
+ #
+ # 'blkid' returns 2 if no valid signature has been found.
+ # Only in this case we should allow overwriting the device.
+ #
+ # This sanity check _should_ be sufficient, but it might not.
+ # This may cause dataloss if it is not used carefully.
+ blkid -p "$2" &>/dev/null
+ (( $? == 2 )) && _overwriteokay=1
+ fi
+ if (( _overwriteokay == 0 )); then
+ false
+ elif cryptsetup -d /dev/urandom $4 $open "$a" "$b" >/dev/null; then
+ stat_append "creating swapspace.."
+ mkswap -f -L $1 /dev/mapper/$1 >/dev/null
+ fi;;
ASK)
- $password="none"
+ printf "\nOpening '$1' volume:\n"
+ cryptsetup $4 $open "$a" "$b" < /dev/console;;
/dev*)
local ckdev=${3%%:*}
local cka=${3#*:}
local ckb=${cka#*:}
local cka=${cka%:*}
- local ckfile=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX)
- local ckdir=/run/initscripts-cryptsetup/drive
+ local ckfile=/dev/ckfile
+ local ckdir=/dev/ckdir
case ${cka} in
*[!0-9]*)
# Use a file on the device
@@ -411,30 +442,36 @@ do_unlock() {
# cka is numeric: cka=offset, ckb=length
dd if=${ckdev} of=${ckfile} bs=1 skip=${cka} count=${ckb} >/dev/null 2>&1;;
esac
- $password="${ckfile}"
+ cryptsetup -d ${ckfile} $4 $open "$a" "$b" >/dev/null
+ dd if=/dev/urandom of=${ckfile} bs=1 count=$(stat -c %s ${ckfile}) conv=notrunc >/dev/null 2>&1
+ rm ${ckfile};;
/*)
+ cryptsetup -d "$3" $4 $open "$a" "$b" >/dev/null;;
*)
printf "${C_FAIL}crypttab contains a literal encryption key. This will stop working in the future.${C_OTHER}\n"
- $password=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX)
- echo "$3" > $password
+ echo "$3" | cryptsetup $4 $open "$a" "$b" >/dev/null;;
esac
- /usr/lib/systemd/systemd-cryptsetup $name $device $password $options &
+ if (( $? )); then
+ failed=1
+ stat_append "failed "
+ else
+ stat_append "ok "
+ fi
+ return $failed
}
read_crypttab() {
# $1 = function to call with the split out line from the crypttab
- local line nspo failed
- mkdir -p /run/initscripts-cryptsetup
+ local line nspo failed=0
while read line; do
[[ $line && $line != '#'* ]] || continue
eval nspo=("${line%#*}")
- $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}"
+ if $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}"; then
+ crypto_unlocked=1
+ else
+ failed=1
+ fi
done < /etc/crypttab
- systemd-tty-ask-password-agent --query --console
- failed=$?
- wait
- shred /run/initsrcipts-cryptsetup/key*
- rm -rf /run/initscripts-cryptsetup
return $failed
}