diff options
author | root <root@rshg054.dnsready.net> | 2012-04-22 00:02:56 +0000 |
---|---|---|
committer | root <root@rshg054.dnsready.net> | 2012-04-22 00:02:56 +0000 |
commit | af1e6c210b43ea6b8e043524edccb1d0befd257f (patch) | |
tree | 39338a1d60483354554ee34df2afa262f8f201c0 /testing/cryptsetup | |
parent | 905dec08e7144fe77aad1161778a6c3b74ff305c (diff) |
Sun Apr 22 00:02:56 UTC 2012
Diffstat (limited to 'testing/cryptsetup')
-rw-r--r-- | testing/cryptsetup/PKGBUILD | 34 | ||||
-rw-r--r-- | testing/cryptsetup/encrypt_hook | 148 | ||||
-rw-r--r-- | testing/cryptsetup/encrypt_install | 26 |
3 files changed, 208 insertions, 0 deletions
diff --git a/testing/cryptsetup/PKGBUILD b/testing/cryptsetup/PKGBUILD new file mode 100644 index 000000000..5215a441d --- /dev/null +++ b/testing/cryptsetup/PKGBUILD @@ -0,0 +1,34 @@ +# $Id: PKGBUILD 156539 2012-04-20 18:28:42Z eric $ +# Maintainer: Thomas Bächler <thomas@archlinux.org> +pkgname=cryptsetup +pkgver=1.4.1 +pkgrel=3 +pkgdesc="Userspace setup tool for transparent encryption of block devices using dm-crypt" +arch=(i686 x86_64) +license=('GPL') +url="http://code.google.com/p/cryptsetup/" +groups=('base') +depends=('device-mapper>=2.02.85-2' 'libgcrypt' 'popt') +conflicts=('mkinitcpio<0.7') +options=('!libtool' '!emptydirs') +source=(http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2 + http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2.asc + encrypt_hook + encrypt_install) +sha256sums=('82b143328c2b427ef2b89fb76c701d311c95b54093c21bbf22342f7b393bddcb' + '71c6506d4b6d0b22b9b6c2a68e604959e4c072af04680ed6acc0126c97bdbc88' + '811bbea1337106ad811731c746d73ee81039bad00aef52398e3a377ad0766757' + 'ddbbdcb8eff93a3a7622ec633e90d5c0d68e3afbeaf942dc2309adab345047d4') +build() { + cd "${srcdir}"/$pkgname-${pkgver} + ./configure --prefix=/usr --disable-static --sbindir=/sbin + make +} + +package() { + cd "${srcdir}"/$pkgname-${pkgver} + make DESTDIR="${pkgdir}" install + # install hook + install -D -m644 "${srcdir}"/encrypt_hook "${pkgdir}"/usr/lib/initcpio/hooks/encrypt + install -D -m644 "${srcdir}"/encrypt_install "${pkgdir}"/usr/lib/initcpio/install/encrypt +} diff --git a/testing/cryptsetup/encrypt_hook b/testing/cryptsetup/encrypt_hook new file mode 100644 index 000000000..956b18023 --- /dev/null +++ b/testing/cryptsetup/encrypt_hook @@ -0,0 +1,148 @@ +# vim: set ft=sh: +# TODO this one needs some work to work with lots of different +# encryption schemes +run_hook () +{ + /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1 + if [ -e "/sys/class/misc/device-mapper" ]; then + if [ ! -e "/dev/mapper/control" ]; then + mkdir /dev/mapper + mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |') + fi + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" + + # Get keyfile if specified + ckeyfile="/crypto_keyfile.bin" + if [ "x${cryptkey}" != "x" ]; then + ckdev="$(echo "${cryptkey}" | cut -d: -f1)" + ckarg1="$(echo "${cryptkey}" | cut -d: -f2)" + ckarg2="$(echo "${cryptkey}" | cut -d: -f3)" + if poll_device "${ckdev}" ${rootdelay}; then + case ${ckarg1} in + *[!0-9]*) + # Use a file on the device + # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path + mkdir /ckey + mount -r -t ${ckarg1} ${ckdev} /ckey + dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1 + umount /ckey + ;; + *) + # Read raw data from the block device + # ckarg1 is numeric: ckarg1=offset, ckarg2=length + dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1 + ;; + esac + fi + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." + fi + + if [ -n "${cryptdevice}" ]; then + DEPRECATED_CRYPT=0 + cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)" + cryptname="$(echo "${cryptdevice}" | cut -d: -f2)" + cryptoptions="$(echo "${cryptdevice}" | cut -d: -f3)" + else + DEPRECATED_CRYPT=1 + cryptdev="${root}" + cryptname="root" + fi + + warn_deprecated() { + echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" + echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." + } + + OLDIFS="${IFS}" + IFS="," + for cryptopt in ${cryptoptions}; do + case ${cryptopt} in + allow-discards) + echo "Enabling TRIM/discard support." + cryptargs="${cryptargs} --allow-discards" + ;; + *) + echo "Encryption option '${cryptopt}' not known, ignoring." >&2 + ;; + esac + done + IFS="${OLDIFS}" + + if poll_device "${cryptdev}" ${rootdelay}; then + if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + dopassphrase=1 + # If keyfile exists, try to use that + if [ -f ${ckeyfile} ]; then + if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${cryptargs} ${CSQUIET}; then + dopassphrase=0 + else + echo "Invalid keyfile. Reverting to passphrase." + fi + fi + # Ask for a passphrase + if [ ${dopassphrase} -gt 0 ]; then + echo "" + echo "A password is required to access the ${cryptname} volume:" + + #loop until we get a real password + while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${cryptargs} ${CSQUIET}; do + sleep 2; + done + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + elif [ -n "${crypto}" ]; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + msg "Non-LUKS encrypted device found..." + if [ $# -ne 5 ]; then + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" + err "Non-LUKS decryption not attempted..." + return 1 + fi + exe="/sbin/cryptsetup create ${cryptname} ${cryptdev} ${cryptargs}" + tmp=$(echo "${crypto}" | cut -d: -f1) + [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\"" + tmp=$(echo "${crypto}" | cut -d: -f2) + [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\"" + tmp=$(echo "${crypto}" | cut -d: -f3) + [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\"" + tmp=$(echo "${crypto}" | cut -d: -f4) + [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\"" + tmp=$(echo "${crypto}" | cut -d: -f5) + [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\"" + if [ -f ${ckeyfile} ]; then + exe="${exe} --key-file ${ckeyfile}" + else + exe="${exe} --verify-passphrase" + echo "" + echo "A password is required to access the ${cryptname} volume:" + fi + eval "${exe} ${CSQUIET}" + + if [ $? -ne 0 ]; then + err "Non-LUKS device decryption failed. verify format: " + err " crypto=hash:cipher:keysize:offset:skip" + exit 1 + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + else + err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." + fi + fi + rm -f ${ckeyfile} + fi +} diff --git a/testing/cryptsetup/encrypt_install b/testing/cryptsetup/encrypt_install new file mode 100644 index 000000000..9ed50e863 --- /dev/null +++ b/testing/cryptsetup/encrypt_install @@ -0,0 +1,26 @@ +# vim: set ft=sh: + +build() +{ + if [ -z "${CRYPTO_MODULES}" ]; then + MODULES=" dm-crypt $(all_modules "/crypto/") " + else + MODULES=" dm-crypt ${CRYPTO_MODULES} " + fi + FILES="" + SCRIPT="encrypt" + [ -f "/sbin/cryptsetup" ] && add_binary "/sbin/cryptsetup" "/sbin/cryptsetup" + [ -f "/usr/sbin/cryptsetup" ] && add_binary "/usr/sbin/cryptsetup" "/sbin/cryptsetup" + add_binary "/sbin/dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" +} + +help () +{ +cat<<HELPEOF + This hook allows for an encrypted root device. +HELPEOF +} |