blob: 248f1f217b7c2165fd1b5755bf01e0c21c7849fd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
# vim: set ft=sh:
# TODO this one needs some work to work with lots of different
# encryption schemes
run_hook ()
{
/sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
if [ -e "/sys/class/misc/device-mapper" ]; then
if [ ! -c "/dev/mapper/control" ]; then
read dev_t < /sys/class/misc/device-mapper/dev
/bin/mknod "/dev/mapper/control" c $(/bin/replace "${dev_t}" ':')
fi
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
# Get keyfile if specified
ckeyfile="/crypto_keyfile.bin"
if [ "x${cryptkey}" != "x" ]; then
set -- $(/bin/replace "${cryptkey}" ':'); ckdev=$1; ckarg1=$2; ckarg2=$3
try=10
echo "Waiting for ${ckdev} ..."
while [ ! -b ${ckdev} -a ${try} -gt 0 ]; do
sleep 1
try=$((${try}-1))
done
if [ -b ${ckdev} ]; then
case ${ckarg1} in
*[!0-9]*)
# Use a file on the device
# ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
mkdir /ckey
mount -r -t ${ckarg1} ${ckdev} /ckey
dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
umount /ckey
;;
*)
# Read raw data from the block device
# ckarg1 is numeric: ckarg1=offset, ckarg2=length
dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
;;
esac
fi
[ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
fi
if [ -n "${cryptdevice}" ]; then
set -- $(/bin/replace "${cryptdevice}" ':'); cryptdev="$1"; cryptname="$2";
else
cryptdev="${root}"
cryptname="root"
fi
if /bin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
dopassphrase=1
# If keyfile exists, try to use that
if [ -f ${ckeyfile} ]; then
if eval /bin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
dopassphrase=0
else
echo "Invalid keyfile. Reverting to passphrase."
fi
fi
# Ask for a passphrase
if [ ${dopassphrase} -gt 0 ]; then
echo ""
echo "A password is required to access the ${cryptname} volume:"
#loop until we get a real password
while ! eval /bin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
sleep 2;
done
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ "${cryptname}" = "root" ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
elif [ "x${crypto}" != "x" ]; then
do_oldcrypto ()
{
if [ $# -ne 5 ]; then
err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
err "Non-LUKS decryption not attempted..."
return 1
fi
exe="/bin/cryptsetup create ${cryptname} ${cryptdev}"
[ "x$(eval echo ${1})" != "x" ] && exe="${exe} --hash \"$(eval echo ${1})\""
[ "x$(eval echo ${2})" != "x" ] && exe="${exe} --cipher \"$(eval echo ${2})\""
[ "x$(eval echo ${3})" != "x" ] && exe="${exe} --key-size \"$(eval echo ${3})\""
[ "x$(eval echo ${4})" != "x" ] && exe="${exe} --offset \"$(eval echo ${4})\""
[ "x$(eval echo ${5})" != "x" ] && exe="${exe} --skip \"$(eval echo ${5})\""
if [ -f ${ckeyfile} ]; then
exe="${exe} --key-file ${ckeyfile}"
else
exe="${exe} --verify-passphrase"
echo ""
echo "A password is required to access the ${cryptname} volume:"
fi
eval "${exe} ${CSQUIET}"
}
msg "Non-LUKS encrypted device found..."
do_oldcrypto $(/bin/replace -q "${crypto}" ':')
if [ $? -ne 0 ]; then
err "Non-LUKS device decryption failed. verify format: "
err " crypto=hash:cipher:keysize:offset:skip"
exit 1
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ "${cryptname}" = "root" ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
fi
nuke ${ckeyfile}
fi
}
|
