From bc1b9e84a77c389c81ebe2aa07251fe2b0451640 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Sun, 20 Dec 2020 21:16:56 +0100
Subject: [PATCH] Implemented raid1 luks encrypted draft

---
 scripts/encryption/storage/Readme.md          |  2 +
 scripts/encryption/storage/base.sh            | 63 ++++++++++++++++-
 scripts/encryption/storage/mount_on_boot.sh   | 70 -------------------
 scripts/encryption/storage/raid1/base.sh      | 16 +++++
 .../encryption/storage/raid1/mount_on_boot.sh |  7 ++
 scripts/encryption/storage/raid1/setup.sh     | 20 ++++++
 .../encryption/storage/single_drive/base.sh   |  2 +
 .../storage/{ => single_drive}/mount.sh       |  0
 .../storage/single_drive/mount_on_boot.sh     | 11 +++
 .../storage/{ => single_drive}/setup.sh       |  1 +
 .../storage/{ => single_drive}/umount.sh      |  0
 11 files changed, 121 insertions(+), 71 deletions(-)
 create mode 100644 scripts/encryption/storage/Readme.md
 delete mode 100644 scripts/encryption/storage/mount_on_boot.sh
 create mode 100644 scripts/encryption/storage/raid1/base.sh
 create mode 100644 scripts/encryption/storage/raid1/mount_on_boot.sh
 create mode 100644 scripts/encryption/storage/raid1/setup.sh
 create mode 100644 scripts/encryption/storage/single_drive/base.sh
 rename scripts/encryption/storage/{ => single_drive}/mount.sh (100%)
 create mode 100644 scripts/encryption/storage/single_drive/mount_on_boot.sh
 rename scripts/encryption/storage/{ => single_drive}/setup.sh (99%)
 rename scripts/encryption/storage/{ => single_drive}/umount.sh (100%)

diff --git a/scripts/encryption/storage/Readme.md b/scripts/encryption/storage/Readme.md
new file mode 100644
index 0000000..844fec9
--- /dev/null
+++ b/scripts/encryption/storage/Readme.md
@@ -0,0 +1,2 @@
+# Storage
+For security reasons storages **SHOULD** be encrypted with [LUKS](https://de.wikipedia.org/wiki/Dm-crypt#Erweiterung_mit_LUKS). To keep it standardized and easy this scripts will use [btrfs](https://de.wikipedia.org/wiki/Btrfs) as file system.
diff --git a/scripts/encryption/storage/base.sh b/scripts/encryption/storage/base.sh
index 11ca9c4..069ccbe 100644
--- a/scripts/encryption/storage/base.sh
+++ b/scripts/encryption/storage/base.sh
@@ -8,7 +8,68 @@ set_device_mount_partition_and_mapper_paths(){
   mount_path="/media/$mapper_name" &&
   partition_path="$device_path""1" &&
   info "mapper name set to : $mapper_name" &&
-  info "mapper path set to : $mapper_path" ||
+  info "mapper path set to : $mapper_path" &&
   info "mount path set to : $mount_path" ||
   error
 }
+
+# @var $1 mapper_path
+# @var $2 partition_path
+create_luks_key_and_update_cryptab(){
+  LUKS_KEY_DIRECTORY="/etc/luks-keys/"  &&
+  info "Creating luks-key-directory..." &&
+  sudo mkdir $LUKS_KEY_DIRECTORY || warning "Directory exists: $LUKS_KEY_DIRECTORY" || error
+  luks_key_name="$1.keyfile" &&
+  secret_key_path="$LUKS_KEY_DIRECTORY$luks_key_name" &&
+  info "Generate secret key under: $secret_key_path" || error
+  if [ -f "$secret_key_path" ]
+    then
+      warning "File allready exist. Overwritting!"
+  fi
+  sudo dd if=/dev/urandom of=$secret_key_path bs=512 count=8 &&
+  sudo cryptsetup -v luksAddKey $2 $secret_key_path &&
+  info "Opening and closing device to verify that that everything works fine..." &&
+  sudo cryptsetup -v luksOpen $2 $1 --key-file=$secret_key_path &&
+  sudo cryptsetup -v luksClose $1 &&
+  info "Reading UUID..." &&
+  uuid_line=$(sudo cryptsetup luksDump $2 | grep "UUID") &&
+  uuid=$(echo "${uuid_line/UUID:/""}"|sed -e "s/[[:space:]]\+//g") &&
+  crypttab_path="/etc/crypttab" &&
+  crypttab_entry="$1 UUID=$uuid $secret_key_path luks" &&
+  info "Adding crypttab entry..." || error
+  if sudo grep -q "$crypttab_entry" "$crypttab_path";
+    then
+      warning "File $crypttab_path contains allready a the following entry:" &&
+      echo "$crypttab_entry" &&
+      info "Skipped." ||
+      error
+    else
+      sudo sh -c "echo '$crypttab_entry' >> $crypttab_path" ||
+      error
+  fi
+
+  info "The file $crypttab_path contains now the following:" &&
+  sudo cat $crypttab_path ||
+  error
+}
+
+# @var $1 mapper_name
+# @var $2 mount_path
+update_fstab(){
+  fstab_path="/etc/fstab"
+  fstab_entry="$1 $2 btrfs   defaults   0       2"
+  info "Adding fstab entry..."
+  if sudo grep -q "$fstab_entry" "$fstab_path"; then
+    warning "File $fstab_path contains allready a the following entry:" &&
+    echo "$fstab_entry" &&
+    info "Skipped." ||
+    error
+  else
+    sudo sh -c "echo '$fstab_entry' >> $fstab_path" ||
+    error
+  fi
+
+  info "The file $fstab_path contains now the following:" &&
+  sudo cat $fstab_path ||
+  error
+}
diff --git a/scripts/encryption/storage/mount_on_boot.sh b/scripts/encryption/storage/mount_on_boot.sh
deleted file mode 100644
index 7de0674..0000000
--- a/scripts/encryption/storage/mount_on_boot.sh
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/bin/bash
-source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
-echo "Automount encrypted storages"
-echo
-set_device_mount_partition_and_mapper_paths
-
-info "Creating key luks-key-directory..." &&
-key_directory="/etc/luks-keys/" &&
-sudo mkdir $key_directory || warning "Directory exists: $key_directory"
-luks_key_name="$mapper_name""_name_secret_key" &&
-secret_key_path="$key_directory$luks_key_name" &&
-info "Generate secret key under: $secret_key_path" &&
-if [ -f "$secret_key_path" ]
-  then
-    warning "File allready exist. Overwritting!"
-fi
-sudo dd if=/dev/urandom of=$secret_key_path bs=512 count=8 &&
-sudo cryptsetup -v luksAddKey $partition_path $secret_key_path ||
-error
-
-info "Opening and closing device to verify that that everything works fine..." &&
-sudo cryptsetup -v luksOpen $partition_path $mapper_name --key-file=$secret_key_path &&
-sudo cryptsetup -v luksClose $mapper_name ||
-error
-
-info "Reading UUID..."
-uuid_line=$(sudo cryptsetup luksDump $partition_path | grep "UUID") &&
-uuid=$(echo "${uuid_line/UUID:/""}"|sed -e "s/[[:space:]]\+//g") ||
-error
-
-crypttab_path="/etc/crypttab"
-crypttab_entry="$mapper_name UUID=$uuid $secret_key_path luks"
-info "Adding crypttab entry..."
-if sudo grep -q "$crypttab_entry" "$crypttab_path";
-  then
-    warning "File $crypttab_path contains allready a the following entry:" &&
-    echo "$crypttab_entry" &&
-    info "Skipped." ||
-    error
-  else
-    sudo sh -c "echo '$crypttab_entry' >> $crypttab_path" ||
-    error
-fi
-
-info "The file $crypttab_path contains now the following:" &&
-sudo cat $crypttab_path ||
-error
-
-# info "Verifying crypttab configuration..." &&
-# sudo cryptdisks_start $mapper_name ||
-# error
-
-fstab_path="/etc/fstab"
-fstab_entry="$mapper_path $mount_path btrfs   defaults   0       2"
-info "Adding fstab entry..."
-if sudo grep -q "$fstab_entry" "$fstab_path"; then
-  warning "File $crypttab_path contains allready a the following entry:" &&
-  echo "$fstab_entry" &&
-  info "Skipped." ||
-  error
-else
-  sudo sh -c "echo '$fstab_entry' >> $fstab_path" ||
-  error
-fi
-
-info "The file $fstab_path contains now the following:" &&
-sudo cat $fstab_path ||
-error
-
-success "Installation finished. Please restart :)"
diff --git a/scripts/encryption/storage/raid1/base.sh b/scripts/encryption/storage/raid1/base.sh
new file mode 100644
index 0000000..da70cf6
--- /dev/null
+++ b/scripts/encryption/storage/raid1/base.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1)
+set_raid1_devices_mount_partition_and_mapper_paths(){
+  info "RAID1 partition 1..." &&
+  set_device_mount_partition_and_mapper_paths &&
+  partition_path_1=$partition_path &&
+  mapper_name_1=$mapper_name &&
+  mapper_path_1=$mapper_path &&
+  mount_path_1=$mount_path &&
+  info "RAID1 partition 2..." &&
+  set_device_mount_partition_and_mapper_paths &&
+  partition_path_2=$partition_path &&
+  mapper_name_2=$mapper_name &&
+  mapper_path_2=$mapper_path &&
+  mount_path_2=$mount_path || error
+}
diff --git a/scripts/encryption/storage/raid1/mount_on_boot.sh b/scripts/encryption/storage/raid1/mount_on_boot.sh
new file mode 100644
index 0000000..090ba7c
--- /dev/null
+++ b/scripts/encryption/storage/raid1/mount_on_boot.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
+info "Automount raid1 encrypted storages..."
+create_luks_key_and_update_cryptab $mapper_name_1 $partition_path_1
+create_luks_key_and_update_cryptab $mapper_name_2 $partition_path_2
+update_fstab $mapper_path_1 $mount_path_1
+success "Installation finished. Please restart :)"
diff --git a/scripts/encryption/storage/raid1/setup.sh b/scripts/encryption/storage/raid1/setup.sh
new file mode 100644
index 0000000..991b169
--- /dev/null
+++ b/scripts/encryption/storage/raid1/setup.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# @author Kevin Veen-Birkenbach [kevin@veen.world]
+# @see https://balaskas.gr/btrfs/raid1.html
+# @see https://mutschler.eu/linux/install-guides/ubuntu-btrfs-raid1/
+source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
+
+set_raid1_devices_mount_partition_and_mapper_paths
+
+info "Encrypting $partition_path_1..." &&
+cryptsetup luksFormat $partition_path_1 &&
+info "Encrypting $partition_path_2..." &&
+cryptsetup luksFormat $partition_path_2 &&
+blkid | tail -2 &&
+cryptsetup luksOpen $partition_path_1 $mapper_name_1 &&
+cryptsetup luksOpen $partition_path_2 $mapper_name_2 &&
+cryptsetup status $mapper_path_1 &&
+cryptsetup status $mapper_path_2 &&
+mkfs.btrfs -L $label -m raid1 -d raid1 $mapper_path_1 $mapper_path_2 &&
+success "Encryption successfull :)" ||
+error
diff --git a/scripts/encryption/storage/single_drive/base.sh b/scripts/encryption/storage/single_drive/base.sh
new file mode 100644
index 0000000..9b74781
--- /dev/null
+++ b/scripts/encryption/storage/single_drive/base.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1)
diff --git a/scripts/encryption/storage/mount.sh b/scripts/encryption/storage/single_drive/mount.sh
similarity index 100%
rename from scripts/encryption/storage/mount.sh
rename to scripts/encryption/storage/single_drive/mount.sh
diff --git a/scripts/encryption/storage/single_drive/mount_on_boot.sh b/scripts/encryption/storage/single_drive/mount_on_boot.sh
new file mode 100644
index 0000000..1a39f2f
--- /dev/null
+++ b/scripts/encryption/storage/single_drive/mount_on_boot.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
+echo "Automount encrypted storages"
+echo
+set_device_mount_partition_and_mapper_paths
+
+create_luks_key_and_update_cryptab $mapper_name $partition_path
+
+update_fstab $mapper_path $mount_path
+
+success "Installation finished. Please restart :)"
diff --git a/scripts/encryption/storage/setup.sh b/scripts/encryption/storage/single_drive/setup.sh
similarity index 99%
rename from scripts/encryption/storage/setup.sh
rename to scripts/encryption/storage/single_drive/setup.sh
index fdd7b78..e79703e 100644
--- a/scripts/encryption/storage/setup.sh
+++ b/scripts/encryption/storage/single_drive/setup.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
 source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
 echo "Setups disk encryption"
 
diff --git a/scripts/encryption/storage/umount.sh b/scripts/encryption/storage/single_drive/umount.sh
similarity index 100%
rename from scripts/encryption/storage/umount.sh
rename to scripts/encryption/storage/single_drive/umount.sh