moparisthebest
/
cryptsetup-multidisk-ssh
mirror of https://github.com/moparisthebest/cryptsetup-multidisk-ssh
1
0
Fork 0
Code Issues Releases Wiki Activity

First commit with ssh support

This commit is contained in:
Travis Burtrum 2016-12-20 21:28:48 -05:00
parent 1e800c8319
commit f7511ff3c7
5 changed files with 53 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cryptsetup_shell Normal file
View File

@ -0,0 +1,8 @@
#!/usr/bin/ash
sed 's/ /\n/g' /proc/cmdline | grep = > /linux.cmdline
. /linux.cmdline
rm /linux.cmdline
. /init_functions
. /hooks/encrypt-multidisk-ssh
run_hook

23
encrypt_hook
View File

@ -69,14 +69,6 @@ EOF
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
}
query_password() {
echo ""
echo "A password is required to access the ${cryptname} volume:"
read -rsp "Enter passphrase for ${resolved}: " password
echo -n "${password}" > ${cpassfile}
echo ""
}
for cryptopt in ${cryptoptions//,/ }; do
case ${cryptopt} in
allow-discards)
@ -104,13 +96,22 @@ EOF
if [ ${dopassphrase} -gt 0 ]; then
if [ ! -f ${cpassfile} ]; then
query_password
query_password "${cryptname}" "${resolved}" "${cpassfile}"
if [ -f /.done ]; then
break
fi
fi
#loop until we get a real password
while ! eval cryptsetup --key-file ${cpassfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
query_password
query_password "${cryptname}" "${resolved}" "${cpassfile}"
if [ -f /.done ]; then
break
fi
done
if [ -f /.done ]; then
break
fi
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
@ -167,6 +168,8 @@ EOF
count=$((count + 1))
done
rm -f ${cpassfile}
touch /.done
killall query_password
}
# vim: set ft=sh ts=4 sw=4 et:

19
encrypt_install
View File

@ -1,4 +1,9 @@
#!/bin/bash
make_etc_passwd() {
echo 'root:x:0:0:root:/root:/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/passwd
echo '/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/shells
}
build() {
local mod
@ -19,11 +24,25 @@ build() {
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/cryptsetup_shell" "/bin/cryptsetup_shell"
add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/query_password" "/bin/query_password"
make_etc_passwd
add_runscript
}
help() {
cat <<HELPEOF
This hook is a drop in replacement for the encrypt multidisk hook and also allows for
multiple encrypted root devices to be unlocked remotely over SSH. It works with both
mkinitcpio-dropbear and mkinitcpio-tinyssh hooks. It DOES NOT perform any
network interface configuration.
Use this hook in combination with any early userspace networking hook, such as
mkinitcpio-netconf or mkinitcpio-ppp. Place this hook AFTER any network
configuration hook and BEFORE the filesystems hook.
This hook allows for multiple encrypted root devices. Users should specify the
device to be unlocked using 'cryptdevice=device:dmname' on the kernel command
line, where 'device' is the path to the raw device, and 'dmname' is the name

9
query_password Normal file
View File

@ -0,0 +1,9 @@
#!/usr/bin/ash
cryptname="$1"
resolved="$2"
cpassfile="$3"
echo ""
echo "A password is required to access the ${cryptname} volume:"
read -rsp "Enter passphrase for ${resolved}: " password
echo -n "${password}" > ${cpassfile}
echo ""

6
readme.md
View File

@ -1,5 +1,7 @@
This is the standard archlinux encrypt hook extended to support multiple encrypted devices via cryptsetup= cryptsetup1= cryptsetup2= etc.
Hopefully one day it will be merged with the normal archlinux cryptsetup package (ask for it [here](https://bugs.archlinux.org/task/23182)), until then it will be available via the aur here:
This hook also additionally supports unlocking via ssh with mkinitcpio-dropbear or mkinitcpio-tinyssh packages set up first.
https://aur.archlinux.org/packages/cryptsetup-multidisk/
Available via the aur here:
https://aur.archlinux.org/packages/cryptsetup-multidisk-ssh/