mirror of
https://github.com/kevinveenbirkenbach/linux-image-manager.git
synced 2024-11-10 01:51:03 +01:00
Optimized luks
This commit is contained in:
parent
c6812de087
commit
a847683e21
@ -45,6 +45,15 @@ make_working_folder(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
mount_partitions(){
|
mount_partitions(){
|
||||||
|
if [ "$(blkid "$root_partition_path" -s TYPE -o value)" == "crypto_LUKS" ]
|
||||||
|
then
|
||||||
|
encrypted_partition_uuid=$(blkid "$root_partition_path" -s UUID -o value) &&
|
||||||
|
root_mapper_name="arch-root-$encrypted_partition_uuid" &&
|
||||||
|
root_mapper_path="/dev/mapper/$root_mapper_name" &&
|
||||||
|
info "Decrypting of $root_partition_path is neccessary..." &&
|
||||||
|
sudo cryptsetup -v luksOpen "$root_partition_path" "$root_mapper_name" ||
|
||||||
|
error
|
||||||
|
fi
|
||||||
info "Mount boot and root partition..." &&
|
info "Mount boot and root partition..." &&
|
||||||
mount -v "$boot_partition_path" "$boot_mount_path" &&
|
mount -v "$boot_partition_path" "$boot_mount_path" &&
|
||||||
mount -v "$root_mapper_path" "$root_mount_path" &&
|
mount -v "$root_mapper_path" "$root_mount_path" &&
|
||||||
@ -54,8 +63,6 @@ mount_partitions(){
|
|||||||
|
|
||||||
destructor(){
|
destructor(){
|
||||||
info "Cleaning up..."
|
info "Cleaning up..."
|
||||||
info "Encrypt decrypted root..."
|
|
||||||
sudo cryptsetup -v luksClose root | warning "Failed."
|
|
||||||
info "Unmounting everything..."
|
info "Unmounting everything..."
|
||||||
umount -lv "$chroot_dev_pts_mount_path" || warning "Umounting $chroot_dev_pts_mount_path failed!"
|
umount -lv "$chroot_dev_pts_mount_path" || warning "Umounting $chroot_dev_pts_mount_path failed!"
|
||||||
umount -lv "$chroot_dev_mount_path" || warning "Umounting $chroot_dev_mount_path failed!"
|
umount -lv "$chroot_dev_mount_path" || warning "Umounting $chroot_dev_mount_path failed!"
|
||||||
@ -68,6 +75,11 @@ destructor(){
|
|||||||
rmdir -v "$root_mount_path" || warning "Removing $root_mount_path failed!"
|
rmdir -v "$root_mount_path" || warning "Removing $root_mount_path failed!"
|
||||||
rmdir -v "$boot_mount_path" || warning "Removing $boot_mount_path failed!"
|
rmdir -v "$boot_mount_path" || warning "Removing $boot_mount_path failed!"
|
||||||
rmdir -v "$working_folder_path" || warning "Removing $working_folder_path failed!"
|
rmdir -v "$working_folder_path" || warning "Removing $working_folder_path failed!"
|
||||||
|
if [ "$(blkid "$root_partition_path" -s TYPE -o value)" == "crypto_LUKS" ]
|
||||||
|
then
|
||||||
|
info "Trying to close decrypted $root_mapper_name..." &&
|
||||||
|
sudo cryptsetup -v luksClose $root_mapper_name || warning "Failed."
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
mount_chroot_binds(){
|
mount_chroot_binds(){
|
||||||
|
@ -242,37 +242,8 @@ if [ "$transfer_image" = "y" ]
|
|||||||
|
|
||||||
if [ "$encrypt_system" == "y" ]
|
if [ "$encrypt_system" == "y" ]
|
||||||
then
|
then
|
||||||
root_mapper_path="/dev/mapper/root"
|
|
||||||
question "Type in encryption password: " && read -r luks_password
|
|
||||||
question "Repeat encryption password:" && read -r luks_password_repeat
|
|
||||||
if [ "$luks_password" != "$luks_password_repeat" ]
|
|
||||||
then
|
|
||||||
error "Passwords didn't match."
|
|
||||||
fi
|
|
||||||
info "Formating $root_partition_path with LUKS..." &&
|
info "Formating $root_partition_path with LUKS..." &&
|
||||||
echo "$luks_password" | sudo cryptsetup -v luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 1000 "$root_partition_path" &&
|
sudo cryptsetup -v luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 1000 "$root_partition_path" ||
|
||||||
info "Decrypting $root_partition_path..." &&
|
|
||||||
echo "$luks_password" | sudo cryptsetup -v luksOpen "$root_partition_path" root &&
|
|
||||||
info "Setting encryption variables..." &&
|
|
||||||
encrypted_partition_uuid=$(blkid "$root_partition_path" -s UUID -o value) &&
|
|
||||||
rescue_suffix=".$(date +%s).rescue" &&
|
|
||||||
mkinitcpio_path="/etc/mkinitcpio.conf" &&
|
|
||||||
mkinitcpio_rescue_path="$mkinitcpio_path$rescue_suffix" &&
|
|
||||||
mkinitcpio_search_modules="MODULES=()" &&
|
|
||||||
mkinitcpio_replace_modules="MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)" &&
|
|
||||||
mkinitcpio_search_binaries="BINARIES=()" &&
|
|
||||||
mkinitcpio_replace_binaries=$(echo "BINARIES=(/usr/lib/libgcc_s.so.1)"| sed -e 's/[\/&]/\\&/g') &&
|
|
||||||
mkinitcpio_search_hooks="HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)" &&
|
|
||||||
mkinitcpio_replace_hooks="HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)" &&
|
|
||||||
fstab_path="/etc/fstab" &&
|
|
||||||
fstab_rescue_path="$fstab_path$rescue_suffix" &&
|
|
||||||
crypttab_path="/etc/crypttab" &&
|
|
||||||
crypttab_rescue_path="$crypttab_path$rescue_suffix" &&
|
|
||||||
boot_txt_path="/boot/boot.txt" &&
|
|
||||||
boot_txt_rescue_path="$boot_txt_path$rescue_suffix" &&
|
|
||||||
boot_txt_delete_line=$(echo "part uuid \${devtype} \${devnum}:2 uuid" | sed -e 's/[]\/$*.^[]/\\&/g') &&
|
|
||||||
boot_txt_setenv_origin=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 root=PARTUUID=\${uuid} rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\"" | sed -e 's/[]\/$*.^[]/\\&/g') &&
|
|
||||||
boot_txt_setenv_replace=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 ip=::::$target_hostname:eth0:dhcp cryptdevice=UUID=$encrypted_partition_uuid:root root=$root_mapper_path rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\""| sed -e 's/[\/&]/\\&/g') ||
|
|
||||||
error
|
error
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -427,6 +398,25 @@ fi
|
|||||||
if [ "$encrypt_system" == "y" ]
|
if [ "$encrypt_system" == "y" ]
|
||||||
then
|
then
|
||||||
# Adapted this instruction for setting up encrypted systems @see https://gist.github.com/gea0/4fc2be0cb7a74d0e7cc4322aed710d38
|
# Adapted this instruction for setting up encrypted systems @see https://gist.github.com/gea0/4fc2be0cb7a74d0e7cc4322aed710d38
|
||||||
|
info "Setting encryption variables..." &&
|
||||||
|
rescue_suffix=".$(date +%s).rescue" &&
|
||||||
|
mkinitcpio_path="/etc/mkinitcpio.conf" &&
|
||||||
|
mkinitcpio_rescue_path="$mkinitcpio_path$rescue_suffix" &&
|
||||||
|
mkinitcpio_search_modules="MODULES=()" &&
|
||||||
|
mkinitcpio_replace_modules="MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)" &&
|
||||||
|
mkinitcpio_search_binaries="BINARIES=()" &&
|
||||||
|
mkinitcpio_replace_binaries=$(echo "BINARIES=(/usr/lib/libgcc_s.so.1)"| sed -e 's/[\/&]/\\&/g') &&
|
||||||
|
mkinitcpio_search_hooks="HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)" &&
|
||||||
|
mkinitcpio_replace_hooks="HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)" &&
|
||||||
|
fstab_path="/etc/fstab" &&
|
||||||
|
fstab_rescue_path="$fstab_path$rescue_suffix" &&
|
||||||
|
crypttab_path="/etc/crypttab" &&
|
||||||
|
crypttab_rescue_path="$crypttab_path$rescue_suffix" &&
|
||||||
|
boot_txt_path="/boot/boot.txt" &&
|
||||||
|
boot_txt_rescue_path="$boot_txt_path$rescue_suffix" &&
|
||||||
|
boot_txt_delete_line=$(echo "part uuid \${devtype} \${devnum}:2 uuid" | sed -e 's/[]\/$*.^[]/\\&/g') &&
|
||||||
|
boot_txt_setenv_origin=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 root=PARTUUID=\${uuid} rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\"" | sed -e 's/[]\/$*.^[]/\\&/g') &&
|
||||||
|
boot_txt_setenv_replace=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 ip=::::$target_hostname:eth0:dhcp cryptdevice=UUID=$encrypted_partition_uuid:root root=$root_mapper_path rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\""| sed -e 's/[\/&]/\\&/g') || error
|
||||||
info "Setup encryption..." &&
|
info "Setup encryption..." &&
|
||||||
(
|
(
|
||||||
echo "pacman --noconfirm -S --needed $(get_packages "server/luks") &&"
|
echo "pacman --noconfirm -S --needed $(get_packages "server/luks") &&"
|
||||||
|
Loading…
Reference in New Issue
Block a user