-
Notifications
You must be signed in to change notification settings - Fork 0
/
crypttabcopy
159 lines (118 loc) · 5.51 KB
/
crypttabcopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#!/bin/sh
#set -e
PREREQ=""
prereqs () {
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
echo "DESTDIR=\"${DESTDIR}\""
#echo "Type 'p' to pause."
#read -t 5 -n 1 -r choice # not working in bash, only in BusyBox
#if [ "${choice}" = p ]; then
# echo "Press Enter to continue."
# read nothing
#fi
# Normally the update-initramfs scripts should write the crypttab.
# Below in the script we check if the ${DESTDIR}/cryptroot/crypttab is there
# and autogenerate it if needed. This cp command was a temporary fix.
# cp /etc/crypttab "${DESTDIR}/cryptroot/crypttab"
cp /etc/crypttab "${DESTDIR}/cryptroot/crypttab.from.etc"
mkdir "${DESTDIR}/mykeys"
# It's not a good idea to copy your key into the initrd.img file.
# The Grub LUKS opening is slow due to inefficient implementation.
# Also, you may accidentally write the initrd.img on an unencrypted partition.
# cp /etc/mykeys/key.txt "${DESTDIR}/mykeys/key.txt"
crypttab_key_source="/etc/crypttab.initrdlukskeychain.key"
# ************** beginning of the crypttab generator ***************
# root_uuid=$(awk '$2 == "/" {print $1}' /proc/mounts | xargs blkid -s UUID -o value)
root_uuid=$(blkid -s UUID -o value "$(awk '$2 == "/" {print $1}' /proc/mounts)")
matching_dev_mapper_devices=$(blkid | awk -v uuid="$root_uuid" '$0 ~ "UUID=\""uuid "\"" {gsub(":", "", $1); print $1}')
crypttab_file_example=""
crypttab_file_example_key=""
for dev_mapper_device in $matching_dev_mapper_devices; do
if ! echo "${dev_mapper_device}" | grep -q "^/dev/mapper/"; then
echo "ERROR: The device \"$dev_mapper_device\" is not in the /dev/mapper directory, this is confusing, stopping."
exit 1
fi
mapped_device=$(cryptsetup status "${dev_mapper_device}" | awk '/device:/ { print $2 }')
this_UUID=$(blkid -s UUID -o value "${mapped_device}")
partition_name=$(basename "$dev_mapper_device")
if [ -n "${this_UUID}" ]; then
this_line_for_crypttab="$partition_name UUID=${this_UUID} none luks,discard,keyscript=decrypt_keyctl"
this_line_for_crypttab_key="$partition_name UUID=${this_UUID} /mykeys/key.txt luks,discard"
crypttab_file_example="${crypttab_file_example}${this_line_for_crypttab}\n"
crypttab_file_example_key="${crypttab_file_example_key}${this_line_for_crypttab_key}\n"
else
echo "The UUID for \"$dev_mapper_device\" is not found. This is confusing, stopping."
exit 1
fi
done
# ************** end of the crypttab generator ***************
echo "$crypttab_file_example_key" > "${DESTDIR}/cryptroot/crypttab.key.autogenerated"
echo "$crypttab_file_example" > "${DESTDIR}/cryptroot/crypttab.nokey.autogenerated"
if [ ! -e "${DESTDIR}/cryptroot/crypttab" ]; then
echo "The file \"${DESTDIR}/cryptroot/crypttab\" does not exist, this should not happen."
echo "But we fix it - we copy there our autogenerated cryptotab:"
echo "--------- crypttab (autogenerated) ---------"
echo "$crypttab_file_example"
echo "--------- crypttab end ---------------------"
echo "$crypttab_file_example" > "${DESTDIR}/cryptroot/crypttab"
fi
if [ -e "${crypttab_key_source}" ]; then
cp "${crypttab_key_source}" "${DESTDIR}/cryptroot/crypttab.key"
else
echo "The file ${crypttab_key_source} do not exist, \"${DESTDIR}/cryptroot/crypttab.key\" will be generated by this script..."
echo "--------- crypttab.key (autogenerated) ---------"
echo "$crypttab_file_example_key"
echo "--------- crypttab.key end ---------------------"
echo "$crypttab_file_example_key" > "${DESTDIR}/cryptroot/crypttab.key"
fi
echo "Checking partitions if they are listed in crypttab files..."
error_count=0
for dev_mapper_device in $matching_dev_mapper_devices; do
partition_name="${dev_mapper_device##*/}"
# DEBUG - make sure the ##*/ magic works in different shell versions
partition_name_debug=$(basename "$dev_mapper_device")
if [ ! "${partition_name}" = "${partition_name_debug}" ]; then
echo "ERROR: Partition name calculation error."
exit 1
fi
if grep -q "^[[:space:]]*$partition_name[[:space:]]" /etc/crypttab; then
echo "$dev_mapper_device exists in /etc/crypttab"
else
echo "$dev_mapper_device does not exist in /etc/crypttab"
error_count=$((error_count + 1))
fi
if [ -e "${crypttab_key_source}" ]; then
if grep -q "^[[:space:]]*$partition_name[[:space:]]" "${crypttab_key_source}"; then
echo "$dev_mapper_device exists in \"${crypttab_key_source}\""
else
echo "$dev_mapper_device does not exist in \"${crypttab_key_source}\""
error_count=$((error_count + 1))
fi
fi
if grep -q "^[[:space:]]*$partition_name[[:space:]]" "${DESTDIR}/cryptroot/crypttab.key"; then
echo "$dev_mapper_device exists in \"${DESTDIR}/cryptroot/crypttab.key\""
else
echo "$dev_mapper_device does not exist in \"${DESTDIR}/cryptroot/crypttab.key\""
error_count=$((error_count + 1))
fi
if grep -q "^[[:space:]]*$partition_name[[:space:]]" "${DESTDIR}/cryptroot/crypttab"; then
echo "$dev_mapper_device exists in \"${DESTDIR}/cryptroot/crypttab\""
else
echo "$dev_mapper_device does not exist in \"${DESTDIR}/cryptroot/crypttab\""
error_count=$((error_count + 1))
fi
done
if [ $error_count -gt 0 ]; then
echo "Total errors (missing partitions in crypttab files): $error_count"
echo "Please correct the errors in the crypttab files."
exit 1
fi
#echo "DEBUG: Press Enter to continue."
#read nothing