cryptsetup-multidisk-ssh/encrypt_install

#!/bin/bash
make_etc_passwd() {
    echo 'root:x:0:0:root:/root:/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/passwd
    echo '/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/shells
}


build() {
    local mod

    add_module dm-crypt
    if [[ $CRYPTO_MODULES ]]; then
        for mod in $CRYPTO_MODULES; do
            add_module "$mod"
        done
    else
        add_all_modules '/crypto/'
    fi

    add_binary "cryptsetup"
    add_binary "dmsetup"
    add_file "/usr/lib/udev/rules.d/10-dm.rules"
    add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
    add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
    add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"

    add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/cryptsetup_shell" "/bin/cryptsetup_shell"
    add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/query_password" "/bin/query_password"

    make_etc_passwd

    add_runscript
}

help() {
    cat <<HELPEOF
This hook is a drop in replacement for the encrypt multidisk hook and also allows for
multiple encrypted root devices to be unlocked remotely over SSH. It works with both
mkinitcpio-dropbear and mkinitcpio-tinyssh hooks. It DOES NOT perform any
network interface configuration.

Use this hook in combination with any early userspace networking hook, such as
mkinitcpio-netconf or mkinitcpio-ppp. Place this hook AFTER any network
configuration hook and BEFORE the filesystems hook.

This hook allows for multiple encrypted root devices. Users should specify the
device to be unlocked using 'cryptdevice=device:dmname' on the kernel command
line, where 'device' is the path to the raw device, and 'dmname' is the name 
given to the device after unlocking, and will be available as /dev/mapper/dmname.

Subsequent devices must be specified the same way, but with cryptdevice1=,
cryptdevice2= and so on, in order. Passwords will be cached and attempted to
re-use them on the next device, and if that fails, a new password will be asked
for.

For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
the kernel cmdline, where 'device' represents the raw block device where the key
exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
the absolute path of the keyfile within the device.

Without specifying a keyfile, you will be prompted for the password at runtime.
This means you must have a keyboard available to input it, and you may need
the keymap hook as well to ensure that the keyboard is using the layout you
expect.
HELPEOF
}

# vim: set ft=sh ts=4 sw=4 et:
Add readme and encrypt_install 2016-11-24 00:31:25 -05:00			`#!/bin/bash`
First commit with ssh support 2016-12-20 21:28:48 -05:00			`make_etc_passwd() {`
			`echo 'root:x:0:0:root:/root:/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/passwd`
			`echo '/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/shells`
			`}`

Add readme and encrypt_install 2016-11-24 00:31:25 -05:00
			`build() {`
			`local mod`

			`add_module dm-crypt`
			`if [[ $CRYPTO_MODULES ]]; then`
			`for mod in $CRYPTO_MODULES; do`
			`add_module "$mod"`
			`done`
			`else`
			`add_all_modules '/crypto/'`
			`fi`

			`add_binary "cryptsetup"`
			`add_binary "dmsetup"`
			`add_file "/usr/lib/udev/rules.d/10-dm.rules"`
			`add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"`
			`add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"`
			`add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"`

First commit with ssh support 2016-12-20 21:28:48 -05:00			`add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/cryptsetup_shell" "/bin/cryptsetup_shell"`
			`add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/query_password" "/bin/query_password"`

			`make_etc_passwd`

Add readme and encrypt_install 2016-11-24 00:31:25 -05:00			`add_runscript`
			`}`

			`help() {`
			`cat <<HELPEOF`
First commit with ssh support 2016-12-20 21:28:48 -05:00			`This hook is a drop in replacement for the encrypt multidisk hook and also allows for`
			`multiple encrypted root devices to be unlocked remotely over SSH. It works with both`
			`mkinitcpio-dropbear and mkinitcpio-tinyssh hooks. It DOES NOT perform any`
			`network interface configuration.`

			`Use this hook in combination with any early userspace networking hook, such as`
			`mkinitcpio-netconf or mkinitcpio-ppp. Place this hook AFTER any network`
			`configuration hook and BEFORE the filesystems hook.`

Add readme and encrypt_install 2016-11-24 00:31:25 -05:00			`This hook allows for multiple encrypted root devices. Users should specify the`
			`device to be unlocked using 'cryptdevice=device:dmname' on the kernel command`
			`line, where 'device' is the path to the raw device, and 'dmname' is the name`
			`given to the device after unlocking, and will be available as /dev/mapper/dmname.`

			`Subsequent devices must be specified the same way, but with cryptdevice1=,`
			`cryptdevice2= and so on, in order. Passwords will be cached and attempted to`
			`re-use them on the next device, and if that fails, a new password will be asked`
			`for.`

			`For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on`
			`the kernel cmdline, where 'device' represents the raw block device where the key`
			`exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is`
			`the absolute path of the keyfile within the device.`

			`Without specifying a keyfile, you will be prompted for the password at runtime.`
			`This means you must have a keyboard available to input it, and you may need`
			`the keymap hook as well to ensure that the keyboard is using the layout you`
			`expect.`
			`HELPEOF`
			`}`

			`# vim: set ft=sh ts=4 sw=4 et:`