Optimized luks

This commit is contained in:
Kevin Veen-Birkenbach 2020-10-01 19:35:01 +02:00
parent c6812de087
commit a847683e21
2 changed files with 34 additions and 32 deletions

View File

@ -45,6 +45,15 @@ make_working_folder(){
} }
mount_partitions(){ mount_partitions(){
if [ "$(blkid "$root_partition_path" -s TYPE -o value)" == "crypto_LUKS" ]
then
encrypted_partition_uuid=$(blkid "$root_partition_path" -s UUID -o value) &&
root_mapper_name="arch-root-$encrypted_partition_uuid" &&
root_mapper_path="/dev/mapper/$root_mapper_name" &&
info "Decrypting of $root_partition_path is neccessary..." &&
sudo cryptsetup -v luksOpen "$root_partition_path" "$root_mapper_name" ||
error
fi
info "Mount boot and root partition..." && info "Mount boot and root partition..." &&
mount -v "$boot_partition_path" "$boot_mount_path" && mount -v "$boot_partition_path" "$boot_mount_path" &&
mount -v "$root_mapper_path" "$root_mount_path" && mount -v "$root_mapper_path" "$root_mount_path" &&
@ -54,8 +63,6 @@ mount_partitions(){
destructor(){ destructor(){
info "Cleaning up..." info "Cleaning up..."
info "Encrypt decrypted root..."
sudo cryptsetup -v luksClose root | warning "Failed."
info "Unmounting everything..." info "Unmounting everything..."
umount -lv "$chroot_dev_pts_mount_path" || warning "Umounting $chroot_dev_pts_mount_path failed!" umount -lv "$chroot_dev_pts_mount_path" || warning "Umounting $chroot_dev_pts_mount_path failed!"
umount -lv "$chroot_dev_mount_path" || warning "Umounting $chroot_dev_mount_path failed!" umount -lv "$chroot_dev_mount_path" || warning "Umounting $chroot_dev_mount_path failed!"
@ -68,6 +75,11 @@ destructor(){
rmdir -v "$root_mount_path" || warning "Removing $root_mount_path failed!" rmdir -v "$root_mount_path" || warning "Removing $root_mount_path failed!"
rmdir -v "$boot_mount_path" || warning "Removing $boot_mount_path failed!" rmdir -v "$boot_mount_path" || warning "Removing $boot_mount_path failed!"
rmdir -v "$working_folder_path" || warning "Removing $working_folder_path failed!" rmdir -v "$working_folder_path" || warning "Removing $working_folder_path failed!"
if [ "$(blkid "$root_partition_path" -s TYPE -o value)" == "crypto_LUKS" ]
then
info "Trying to close decrypted $root_mapper_name..." &&
sudo cryptsetup -v luksClose $root_mapper_name || warning "Failed."
fi
} }
mount_chroot_binds(){ mount_chroot_binds(){

View File

@ -242,37 +242,8 @@ if [ "$transfer_image" = "y" ]
if [ "$encrypt_system" == "y" ] if [ "$encrypt_system" == "y" ]
then then
root_mapper_path="/dev/mapper/root"
question "Type in encryption password: " && read -r luks_password
question "Repeat encryption password:" && read -r luks_password_repeat
if [ "$luks_password" != "$luks_password_repeat" ]
then
error "Passwords didn't match."
fi
info "Formating $root_partition_path with LUKS..." && info "Formating $root_partition_path with LUKS..." &&
echo "$luks_password" | sudo cryptsetup -v luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 1000 "$root_partition_path" && sudo cryptsetup -v luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 1000 "$root_partition_path" ||
info "Decrypting $root_partition_path..." &&
echo "$luks_password" | sudo cryptsetup -v luksOpen "$root_partition_path" root &&
info "Setting encryption variables..." &&
encrypted_partition_uuid=$(blkid "$root_partition_path" -s UUID -o value) &&
rescue_suffix=".$(date +%s).rescue" &&
mkinitcpio_path="/etc/mkinitcpio.conf" &&
mkinitcpio_rescue_path="$mkinitcpio_path$rescue_suffix" &&
mkinitcpio_search_modules="MODULES=()" &&
mkinitcpio_replace_modules="MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)" &&
mkinitcpio_search_binaries="BINARIES=()" &&
mkinitcpio_replace_binaries=$(echo "BINARIES=(/usr/lib/libgcc_s.so.1)"| sed -e 's/[\/&]/\\&/g') &&
mkinitcpio_search_hooks="HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)" &&
mkinitcpio_replace_hooks="HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)" &&
fstab_path="/etc/fstab" &&
fstab_rescue_path="$fstab_path$rescue_suffix" &&
crypttab_path="/etc/crypttab" &&
crypttab_rescue_path="$crypttab_path$rescue_suffix" &&
boot_txt_path="/boot/boot.txt" &&
boot_txt_rescue_path="$boot_txt_path$rescue_suffix" &&
boot_txt_delete_line=$(echo "part uuid \${devtype} \${devnum}:2 uuid" | sed -e 's/[]\/$*.^[]/\\&/g') &&
boot_txt_setenv_origin=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 root=PARTUUID=\${uuid} rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\"" | sed -e 's/[]\/$*.^[]/\\&/g') &&
boot_txt_setenv_replace=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 ip=::::$target_hostname:eth0:dhcp cryptdevice=UUID=$encrypted_partition_uuid:root root=$root_mapper_path rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\""| sed -e 's/[\/&]/\\&/g') ||
error error
fi fi
@ -427,6 +398,25 @@ fi
if [ "$encrypt_system" == "y" ] if [ "$encrypt_system" == "y" ]
then then
# Adapted this instruction for setting up encrypted systems @see https://gist.github.com/gea0/4fc2be0cb7a74d0e7cc4322aed710d38 # Adapted this instruction for setting up encrypted systems @see https://gist.github.com/gea0/4fc2be0cb7a74d0e7cc4322aed710d38
info "Setting encryption variables..." &&
rescue_suffix=".$(date +%s).rescue" &&
mkinitcpio_path="/etc/mkinitcpio.conf" &&
mkinitcpio_rescue_path="$mkinitcpio_path$rescue_suffix" &&
mkinitcpio_search_modules="MODULES=()" &&
mkinitcpio_replace_modules="MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)" &&
mkinitcpio_search_binaries="BINARIES=()" &&
mkinitcpio_replace_binaries=$(echo "BINARIES=(/usr/lib/libgcc_s.so.1)"| sed -e 's/[\/&]/\\&/g') &&
mkinitcpio_search_hooks="HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)" &&
mkinitcpio_replace_hooks="HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)" &&
fstab_path="/etc/fstab" &&
fstab_rescue_path="$fstab_path$rescue_suffix" &&
crypttab_path="/etc/crypttab" &&
crypttab_rescue_path="$crypttab_path$rescue_suffix" &&
boot_txt_path="/boot/boot.txt" &&
boot_txt_rescue_path="$boot_txt_path$rescue_suffix" &&
boot_txt_delete_line=$(echo "part uuid \${devtype} \${devnum}:2 uuid" | sed -e 's/[]\/$*.^[]/\\&/g') &&
boot_txt_setenv_origin=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 root=PARTUUID=\${uuid} rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\"" | sed -e 's/[]\/$*.^[]/\\&/g') &&
boot_txt_setenv_replace=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 ip=::::$target_hostname:eth0:dhcp cryptdevice=UUID=$encrypted_partition_uuid:root root=$root_mapper_path rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\""| sed -e 's/[\/&]/\\&/g') || error
info "Setup encryption..." && info "Setup encryption..." &&
( (
echo "pacman --noconfirm -S --needed $(get_packages "server/luks") &&" echo "pacman --noconfirm -S --needed $(get_packages "server/luks") &&"