cryptsetup-multidisk-ssh/encrypt_install

69 lines
2.5 KiB
Plaintext
Raw Normal View History

2016-11-24 00:31:25 -05:00
#!/bin/bash
2016-12-20 21:28:48 -05:00
make_etc_passwd() {
echo 'root:x:0:0:root:/root:/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/passwd
echo '/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/shells
}
2016-11-24 00:31:25 -05:00
build() {
local mod
add_module dm-crypt
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules '/crypto/'
fi
add_binary "cryptsetup"
add_binary "dmsetup"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
2016-12-20 21:28:48 -05:00
add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/cryptsetup_shell" "/bin/cryptsetup_shell"
add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/query_password" "/bin/query_password"
make_etc_passwd
2016-11-24 00:31:25 -05:00
add_runscript
}
help() {
cat <<HELPEOF
2016-12-20 21:28:48 -05:00
This hook is a drop in replacement for the encrypt multidisk hook and also allows for
multiple encrypted root devices to be unlocked remotely over SSH. It works with both
mkinitcpio-dropbear and mkinitcpio-tinyssh hooks. It DOES NOT perform any
network interface configuration.
Use this hook in combination with any early userspace networking hook, such as
mkinitcpio-netconf or mkinitcpio-ppp. Place this hook AFTER any network
configuration hook and BEFORE the filesystems hook.
2016-11-24 00:31:25 -05:00
This hook allows for multiple encrypted root devices. Users should specify the
device to be unlocked using 'cryptdevice=device:dmname' on the kernel command
line, where 'device' is the path to the raw device, and 'dmname' is the name
given to the device after unlocking, and will be available as /dev/mapper/dmname.
Subsequent devices must be specified the same way, but with cryptdevice1=,
cryptdevice2= and so on, in order. Passwords will be cached and attempted to
re-use them on the next device, and if that fails, a new password will be asked
for.
For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
the kernel cmdline, where 'device' represents the raw block device where the key
exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
the absolute path of the keyfile within the device.
Without specifying a keyfile, you will be prompted for the password at runtime.
This means you must have a keyboard available to input it, and you may need
the keymap hook as well to ensure that the keyboard is using the layout you
expect.
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et: