Implemented raid1 luks encrypted draft

scripts/encryption/storage/Readme.md

@@ -0,0 +1,2 @@
+# Storage
+For security reasons storages **SHOULD** be encrypted with [LUKS](https://de.wikipedia.org/wiki/Dm-crypt#Erweiterung_mit_LUKS). To keep it standardized and easy this scripts will use [btrfs](https://de.wikipedia.org/wiki/Btrfs) as file system.

scripts/encryption/storage/base.sh

@@ -8,7 +8,68 @@ set_device_mount_partition_and_mapper_paths(){
   mount_path="/media/$mapper_name" &&
   partition_path="$device_path""1" &&
   info "mapper name set to : $mapper_name" &&
-  info "mapper path set to : $mapper_path" ||
+  info "mapper path set to : $mapper_path" &&
   info "mount path set to : $mount_path" ||
   error
 }
+
+# @var $1 mapper_path
+# @var $2 partition_path
+create_luks_key_and_update_cryptab(){
+  LUKS_KEY_DIRECTORY="/etc/luks-keys/"  &&
+  info "Creating luks-key-directory..." &&
+  sudo mkdir $LUKS_KEY_DIRECTORY || warning "Directory exists: $LUKS_KEY_DIRECTORY" || error
+  luks_key_name="$1.keyfile" &&
+  secret_key_path="$LUKS_KEY_DIRECTORY$luks_key_name" &&
+  info "Generate secret key under: $secret_key_path" || error
+  if [ -f "$secret_key_path" ]
+    then
+      warning "File allready exist. Overwritting!"
+  fi
+  sudo dd if=/dev/urandom of=$secret_key_path bs=512 count=8 &&
+  sudo cryptsetup -v luksAddKey $2 $secret_key_path &&
+  info "Opening and closing device to verify that that everything works fine..." &&
+  sudo cryptsetup -v luksOpen $2 $1 --key-file=$secret_key_path &&
+  sudo cryptsetup -v luksClose $1 &&
+  info "Reading UUID..." &&
+  uuid_line=$(sudo cryptsetup luksDump $2 | grep "UUID") &&
+  uuid=$(echo "${uuid_line/UUID:/""}"|sed -e "s/[[:space:]]\+//g") &&
+  crypttab_path="/etc/crypttab" &&
+  crypttab_entry="$1 UUID=$uuid $secret_key_path luks" &&
+  info "Adding crypttab entry..." || error
+  if sudo grep -q "$crypttab_entry" "$crypttab_path";
+    then
+      warning "File $crypttab_path contains allready a the following entry:" &&
+      echo "$crypttab_entry" &&
+      info "Skipped." ||
+      error
+    else
+      sudo sh -c "echo '$crypttab_entry' >> $crypttab_path" ||
+      error
+  fi
+
+  info "The file $crypttab_path contains now the following:" &&
+  sudo cat $crypttab_path ||
+  error
+}
+
+# @var $1 mapper_name
+# @var $2 mount_path
+update_fstab(){
+  fstab_path="/etc/fstab"
+  fstab_entry="$1 $2 btrfs   defaults   0       2"
+  info "Adding fstab entry..."
+  if sudo grep -q "$fstab_entry" "$fstab_path"; then
+    warning "File $fstab_path contains allready a the following entry:" &&
+    echo "$fstab_entry" &&
+    info "Skipped." ||
+    error
+  else
+    sudo sh -c "echo '$fstab_entry' >> $fstab_path" ||
+    error
+  fi
+
+  info "The file $fstab_path contains now the following:" &&
+  sudo cat $fstab_path ||
+  error
+}

scripts/encryption/storage/mount_on_boot.sh

@@ -1,70 +0,0 @@
-#!/bin/bash
-source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
-echo "Automount encrypted storages"
-echo
-set_device_mount_partition_and_mapper_paths
-
-info "Creating key luks-key-directory..." &&
-key_directory="/etc/luks-keys/" &&
-sudo mkdir $key_directory || warning "Directory exists: $key_directory"
-luks_key_name="$mapper_name""_name_secret_key" &&
-secret_key_path="$key_directory$luks_key_name" &&
-info "Generate secret key under: $secret_key_path" &&
-if [ -f "$secret_key_path" ]
-  then
-    warning "File allready exist. Overwritting!"
-fi
-sudo dd if=/dev/urandom of=$secret_key_path bs=512 count=8 &&
-sudo cryptsetup -v luksAddKey $partition_path $secret_key_path ||
-error
-
-info "Opening and closing device to verify that that everything works fine..." &&
-sudo cryptsetup -v luksOpen $partition_path $mapper_name --key-file=$secret_key_path &&
-sudo cryptsetup -v luksClose $mapper_name ||
-error
-
-info "Reading UUID..."
-uuid_line=$(sudo cryptsetup luksDump $partition_path | grep "UUID") &&
-uuid=$(echo "${uuid_line/UUID:/""}"|sed -e "s/[[:space:]]\+//g") ||
-error
-
-crypttab_path="/etc/crypttab"
-crypttab_entry="$mapper_name UUID=$uuid $secret_key_path luks"
-info "Adding crypttab entry..."
-if sudo grep -q "$crypttab_entry" "$crypttab_path";
-  then
-    warning "File $crypttab_path contains allready a the following entry:" &&
-    echo "$crypttab_entry" &&
-    info "Skipped." ||
-    error
-  else
-    sudo sh -c "echo '$crypttab_entry' >> $crypttab_path" ||
-    error
-fi
-
-info "The file $crypttab_path contains now the following:" &&
-sudo cat $crypttab_path ||
-error
-
-# info "Verifying crypttab configuration..." &&
-# sudo cryptdisks_start $mapper_name ||
-# error
-
-fstab_path="/etc/fstab"
-fstab_entry="$mapper_path $mount_path btrfs   defaults   0       2"
-info "Adding fstab entry..."
-if sudo grep -q "$fstab_entry" "$fstab_path"; then
-  warning "File $crypttab_path contains allready a the following entry:" &&
-  echo "$fstab_entry" &&
-  info "Skipped." ||
-  error
-else
-  sudo sh -c "echo '$fstab_entry' >> $fstab_path" ||
-  error
-fi
-
-info "The file $fstab_path contains now the following:" &&
-sudo cat $fstab_path ||
-error
-
-success "Installation finished. Please restart :)"

scripts/encryption/storage/raid1/base.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1)
+set_raid1_devices_mount_partition_and_mapper_paths(){
+  info "RAID1 partition 1..." &&
+  set_device_mount_partition_and_mapper_paths &&
+  partition_path_1=$partition_path &&
+  mapper_name_1=$mapper_name &&
+  mapper_path_1=$mapper_path &&
+  mount_path_1=$mount_path &&
+  info "RAID1 partition 2..." &&
+  set_device_mount_partition_and_mapper_paths &&
+  partition_path_2=$partition_path &&
+  mapper_name_2=$mapper_name &&
+  mapper_path_2=$mapper_path &&
+  mount_path_2=$mount_path || error
+}

scripts/encryption/storage/raid1/mount_on_boot.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
+info "Automount raid1 encrypted storages..."
+create_luks_key_and_update_cryptab $mapper_name_1 $partition_path_1
+create_luks_key_and_update_cryptab $mapper_name_2 $partition_path_2
+update_fstab $mapper_path_1 $mount_path_1
+success "Installation finished. Please restart :)"

scripts/encryption/storage/raid1/setup.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+# @author Kevin Veen-Birkenbach [kevin@veen.world]
+# @see https://balaskas.gr/btrfs/raid1.html
+# @see https://mutschler.eu/linux/install-guides/ubuntu-btrfs-raid1/
+source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
+
+set_raid1_devices_mount_partition_and_mapper_paths
+
+info "Encrypting $partition_path_1..." &&
+cryptsetup luksFormat $partition_path_1 &&
+info "Encrypting $partition_path_2..." &&
+cryptsetup luksFormat $partition_path_2 &&
+blkid | tail -2 &&
+cryptsetup luksOpen $partition_path_1 $mapper_name_1 &&
+cryptsetup luksOpen $partition_path_2 $mapper_name_2 &&
+cryptsetup status $mapper_path_1 &&
+cryptsetup status $mapper_path_2 &&
+mkfs.btrfs -L $label -m raid1 -d raid1 $mapper_path_1 $mapper_path_2 &&
+success "Encryption successfull :)" ||
+error

scripts/encryption/storage/single_drive/base.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1)

scripts/encryption/storage/single_drive/mount_on_boot.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
+echo "Automount encrypted storages"
+echo
+set_device_mount_partition_and_mapper_paths
+
+create_luks_key_and_update_cryptab $mapper_name $partition_path
+
+update_fstab $mapper_path $mount_path
+
+success "Installation finished. Please restart :)"

scripts/encryption/storage/single_drive/setup.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
 echo "Setups disk encryption"