Continued implementation of encryption procedures for pi

2025-11-04 09:28:01 +00:00 · 2020-05-25 13:40:03 +02:00
parent d6bb5a2d18
commit 19bd0979b3
4 changed files with 41 additions and 7 deletions
--- a/configuration/packages/server/luks.txt
+++ b/configuration/packages/server/luks.txt
@@ -0,0 +1,10 @@
+# Packages to install LUKS on servers
+sudo
+git
+rsync
+base-devel
+uboot-tools
+dropbear
+mkinitcpio-utils
+mkinitcpio-netconf
+mkinitcpio-dropbear
--- a/scripts/base.sh
+++ b/scripts/base.sh
@@ -93,6 +93,16 @@ overwritte_device_with_zeros(){
  fi
 }

+get_packages(){
+  for package_collection in "$@"
+  do
+    package_collection_path="$PACKAGE_PATH""$package_collection.txt" &&
+    info "Loading package collection from $package_collection_path..." &&
+    echo "$(sed -e "/^#/d" -e "s/#.*//" "$package_collection_path" | tr '\n' ' ')" ||
+    error
+  done
+}
+
 HEADER(){
  echo
  echo "${COLOR_YELLOW}The"
--- a/scripts/client/setup.sh
+++ b/scripts/client/setup.sh
@@ -6,13 +6,6 @@
 # shellcheck disable=SC2086  # Deactivating escaping warning, because it's wrong concerning pacman_packages
 source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1)

-get_packages(){
-  for package_collection in "$@"
-  do
-    echo "$(sed -e "/^#/d" -e "s/#.*//" "$PACKAGE_PATH""$package_collection.txt" | tr '\n' ' ')" || error "Loading package wasn't possible."
-  done
-}
-
 install_yay_packages_if_needed(){
 	info "Checking yay packages [ $1 ]..."
 	for package in $1; do
--- a/scripts/image/setup.sh
+++ b/scripts/image/setup.sh
@@ -370,6 +370,27 @@ if [ "$update_system" == "y" ]
    ) | chroot "$root_mount_path" /bin/bash || error
 fi

+question "Should the system be encrypted?(y/N)" && read -r encrypt_system
+if [ "$encrypt_system" == "y" ]
+  then
+    # @see https://gist.github.com/gea0/4fc2be0cb7a74d0e7cc4322aed710d38
+    search_hooks="HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)"
+    replace_hooks="HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)"
+    mkinitcpio_path="/etc/mkinitcpio.conf"
+    mkinitcpio_rescue_path="$mkinitcpio_path.$(date +%s).rescue"
+    search_modules="MODULES=()"
+    replace_modules="MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)"
+    info "Setup encryption..." &&
+    (
+    echo "yes | pacman -S --needed $(get_packages "server/luks")"
+    echo "cp -v /home/$target_username/.ssh/authorized_keys /etc/dropbear/root_key"
+    echo "cp -v $mkinitcpio_path $mkinitcpio_rescue_path"
+    echo "sed -i 's/$search_modules/$replace_modules/g' $mkinitcpio_path"
+    echo "sed -i 's/$search_hooks/$replace_hooks/g' $mkinitcpio_path"
+    echo "mkinitcpio -P"
+    ) | chroot "$root_mount_path" /bin/bash || error
+fi
+
 # question "Do you want to copy all Wifi passwords to the device?(y/n)" && read -r copy_wifi
 # if [ "$copy_wifi" = "y" ]
 #   then