From f7511ff3c79f315bacd743dfb155512b40b89a2a Mon Sep 17 00:00:00 2001
From: moparisthebest <admin@moparisthebest.com>
Date: Tue, 20 Dec 2016 21:28:48 -0500
Subject: [PATCH] First commit with ssh support

---
 cryptsetup_shell |  8 ++++++++
 encrypt_hook     | 23 +++++++++++++----------
 encrypt_install  | 19 +++++++++++++++++++
 query_password   |  9 +++++++++
 readme.md        |  6 ++++--
 5 files changed, 53 insertions(+), 12 deletions(-)
 create mode 100644 cryptsetup_shell
 create mode 100644 query_password

diff --git a/cryptsetup_shell b/cryptsetup_shell
new file mode 100644
index 0000000..f28cca7
--- /dev/null
+++ b/cryptsetup_shell
@@ -0,0 +1,8 @@
+#!/usr/bin/ash
+sed 's/ /\n/g' /proc/cmdline | grep = > /linux.cmdline
+. /linux.cmdline
+rm /linux.cmdline
+. /init_functions
+. /hooks/encrypt-multidisk-ssh
+
+run_hook
diff --git a/encrypt_hook b/encrypt_hook
index 730b08e..1a643f8 100755
--- a/encrypt_hook
+++ b/encrypt_hook
@@ -69,14 +69,6 @@ EOF
             echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
         }
 
-        query_password() {
-            echo ""
-            echo "A password is required to access the ${cryptname} volume:"
-            read -rsp "Enter passphrase for ${resolved}: " password
-            echo -n "${password}" > ${cpassfile}
-            echo ""
-        }
-
         for cryptopt in ${cryptoptions//,/ }; do
             case ${cryptopt} in
                 allow-discards)
@@ -104,13 +96,22 @@ EOF
                 if [ ${dopassphrase} -gt 0 ]; then
 
                     if [ ! -f ${cpassfile} ]; then
-                        query_password
+                        query_password "${cryptname}" "${resolved}" "${cpassfile}"
+                        if [ -f /.done ]; then
+                            break
+                        fi
                     fi
 
                     #loop until we get a real password
                     while ! eval cryptsetup --key-file ${cpassfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
-                        query_password
+                        query_password "${cryptname}" "${resolved}" "${cpassfile}"
+                        if [ -f /.done ]; then
+                            break
+                        fi
                     done
+                    if [ -f /.done ]; then
+                        break
+                    fi
                 fi
                 if [ -e "/dev/mapper/${cryptname}" ]; then
                     if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
@@ -167,6 +168,8 @@ EOF
         count=$((count + 1))
     done
     rm -f ${cpassfile}
+    touch /.done
+    killall query_password
 }
 
 # vim: set ft=sh ts=4 sw=4 et:
diff --git a/encrypt_install b/encrypt_install
index 9ebf342..34571a6 100644
--- a/encrypt_install
+++ b/encrypt_install
@@ -1,4 +1,9 @@
 #!/bin/bash
+make_etc_passwd() {
+    echo 'root:x:0:0:root:/root:/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/passwd
+    echo '/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/shells
+}
+
 
 build() {
     local mod
@@ -19,11 +24,25 @@ build() {
     add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
     add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
 
+    add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/cryptsetup_shell" "/bin/cryptsetup_shell"
+    add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/query_password" "/bin/query_password"
+
+    make_etc_passwd
+
     add_runscript
 }
 
 help() {
     cat <<HELPEOF
+This hook is a drop in replacement for the encrypt multidisk hook and also allows for
+multiple encrypted root devices to be unlocked remotely over SSH. It works with both
+mkinitcpio-dropbear and mkinitcpio-tinyssh hooks. It DOES NOT perform any
+network interface configuration.
+
+Use this hook in combination with any early userspace networking hook, such as
+mkinitcpio-netconf or mkinitcpio-ppp. Place this hook AFTER any network
+configuration hook and BEFORE the filesystems hook.
+
 This hook allows for multiple encrypted root devices. Users should specify the
 device to be unlocked using 'cryptdevice=device:dmname' on the kernel command
 line, where 'device' is the path to the raw device, and 'dmname' is the name 
diff --git a/query_password b/query_password
new file mode 100644
index 0000000..986adac
--- /dev/null
+++ b/query_password
@@ -0,0 +1,9 @@
+#!/usr/bin/ash
+cryptname="$1"
+resolved="$2"
+cpassfile="$3"
+echo ""
+echo "A password is required to access the ${cryptname} volume:"
+read -rsp "Enter passphrase for ${resolved}: " password
+echo -n "${password}" > ${cpassfile}
+echo ""
diff --git a/readme.md b/readme.md
index 016a699..4426287 100644
--- a/readme.md
+++ b/readme.md
@@ -1,5 +1,7 @@
 This is the standard archlinux encrypt hook extended to support multiple encrypted devices via cryptsetup= cryptsetup1= cryptsetup2= etc.
 
-Hopefully one day it will be merged with the normal archlinux cryptsetup package (ask for it [here](https://bugs.archlinux.org/task/23182)), until then it will be available via the aur here:
+This hook also additionally supports unlocking via ssh with mkinitcpio-dropbear or mkinitcpio-tinyssh packages set up first.
 
-https://aur.archlinux.org/packages/cryptsetup-multidisk/
+Available via the aur here:
+
+https://aur.archlinux.org/packages/cryptsetup-multidisk-ssh/