Remoteheader script.sh

Aus codecivil
Version vom 29. März 2016, 12:57 Uhr von Codecivil (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „ <nowiki> #!/bin/sh ## original file name decryptkeydevice_script.sh ## modified for use for detached header by Marco Kühnel <kuehnel@codecivil.de> ## #### or…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen
#!/bin/sh
## original file name decryptkeydevice_script.sh
## modified for use for detached header by Marco Kühnel <kuehnel@codecivil.de>
##
#### original header:
# original file name crypto-usb-key.sh
# heavily modified and adapted for "decryptkeydevice" by Franco
#
### original header :
#
# Part of passwordless cryptofs setup in Debian Etch.
# See: http://wejn.org/how-to-make-passwordless-cryptsetup.html
# Author: Wejn <wejn at box dot cz>
#
# Updated by Rodolfo Garcia (kix) <kix at kix dot com>
# For multiple partitions
# http://www.kix.es/
#
# Updated by TJ <linux@tjworld.net> 7 July 2008
# For use with Ubuntu Hardy, usplash, automatic detection of USB devices,
# detection and examination of *all* partitions on the device (not just partition #1), 
# automatic detection of partition type, refactored, commented, debugging code.
#
# Updated by Hendrik van Antwerpen <hendrik at van-antwerpen dot net> 3 Sept 2008
# For encrypted key device support, also added stty support for not
# showing your password in console mode.

# define counter-intuitive shell logic values (based on /bin/true & /bin/false)
# NB. use FALSE only to *set* something to false, but don't test for
# equality, because a program might return any non-zero on error

# Updated by Dominique Bellenger <dev at domesdomain dot de>
# for usage with Ubuntu 10.04 Lucid Lynx
# - Removed non working USB device check
# - changed vol_id to blkid, changed sed expression
# - changed TRUE and FALSE to be 1 and 0
# - changed usplash usage to plymouth usage
# - removed possibility to read from an encrypted device (why would I want to do this? The script is unnecessary if I have to type in a password)
#
### original header END

# read configuration settings
REMOTEHEADER_DISKID=""
if [ -f /etc/remoteheader/remoteheader.conf ] ; then
		.  /etc/remoteheader/remoteheader.conf
fi

TRUE=1
FALSE=0

# set DEBUG=$TRUE to display debug messages, DEBUG=$FALSE to be quiet
#DEBUG=$TRUE
DEBUG=$FALSE

PLYMOUTH=$FALSE
# test for plymouth and if plymouth is running
if [ -x /bin/plymouth ] && plymouth --ping; then
        PLYMOUTH=$TRUE
fi

# is stty available? default false
STTY=$FALSE
STTYCMD=false
# check for stty executable
if [ -x /bin/stty ]; then
	STTY=$TRUE
	STTYCMD=/bin/stty
elif [ `(busybox stty >/dev/null 2>&1; echo $?)` -eq 0 ]; then
	STTY=$TRUE
	STTYCMD="busybox stty"
fi

# print message to plymouth or stderr
# usage: msg "message" [switch]
# switch : switch used for echo to stderr (ignored for plymouth)
# when using plymouth the command will cause "message" to be
# printed according to the "plymouth message" definition.
# using the switch -n will allow echo to write multiple messages
# to the same line
msg ()
{
	if [ $# -gt 0 ]; then
		# handle multi-line messages
		echo $1 | while read LINE; do
			if [ $PLYMOUTH -eq $TRUE ]; then
				/bin/plymouth message --text="$1 $LINE"		
			else
				# use stderr for all messages
				echo $LINE >&2
				#echo $3 "$2" >&2
			fi
		done
	fi
}

dbg ()
{
	if [ $DEBUG -eq $TRUE ]; then
		msg "$@"
	fi
}

# read password from console or with plymouth
# usage: readpass "prompt"
readpass ()
{
	if [ $# -gt 0 ]; then
		if [ $PLYMOUTH -eq $TRUE ]; then
			PASS=`/bin/plymouth ask-for-password --prompt="$1"`
		else
			[ $STTY -ne $TRUE ] && msg "WARNING stty not found, password will be visible"
			echo -n "$1" >&2
			$STTYCMD -echo
			read -s PASS </dev/console >/dev/null
			[ $STTY -eq $TRUE ] && echo >&2
			$STTYCMD echo
		fi
	fi
	echo -n "$PASS"
}

# flag tracking header availability
OPENED=$FALSE

# remoteheader configured so try to find a header
if [ ! -z "$REMOTEHEADER_DISKID" ]; then
	dbg "Checking devices for decryption header ..."
	# Is the USB driver loaded?
	cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1
	USBLOAD=0$?
	if [ $USBLOAD -gt 0 ]; then
		dbg "Loading driver 'usb_storage'"
		modprobe usb_storage >/dev/null 2>&1
	fi
	# Is the mmc_block driver loaded?
	cat /proc/modules | busybox grep mmc >/dev/null 2>&1
	MMCLOAD=0$?
	if [ $MMCLOAD -gt 0 ]; then
		dbg "Loading drivers for 'mmc'"
		modprobe mmc_core >/dev/null 2>&1
		modprobe ricoh_mmc >/dev/null 2>&1
		modprobe mmc_block >/dev/null 2>&1
		modprobe sdhci >/dev/null 2>&1
	fi

	# give the system time to settle and open the devices
	sleep 5

	for REMOTEHEADER_ID in $REMOTEHEADER_DISKID ; do
		REMOTEHEADER_FILE="/dev/disk/by-id/$REMOTEHEADER_ID"
		dbg "Trying $REMOTEHEADER_FILE ..."
		if [ -e $REMOTEHEADER_FILE ] ; then
			dbg " found $REMOTEHEADER_FILE ..."
			OPENED=$TRUE
			break
		fi
		REMOTEHEADER_FILE=""
	done
fi

if [ $OPENED -eq $TRUE ]; then
	dbg "Copying header"
	/bin/dd if=$REMOTEHEADER_FILE of=/etc/remoteheader/header bs=$REMOTEHEADER_BLOCKSIZE skip=$REMOTEHEADER_SKIPBLOCKS count=$REMOTEHEADER_READBLOCKS 2>/dev/null && 
	/sbin/cryptsetup luksOpen $REMOTEHEADER_DEVICENAME_ENCRYPTED --header /etc/remoteheader/header $REMOTEHEADER_DEVICENAME_DECRYPTED && 
	/sbin/vgchange -ay	
	if [ $? -eq 0 ] ; then
		dbg "Opened devices."
	else
		msg "FAILED to decrypt using '$REMOTEHEADER_FILE' ..."
		OPENED=$FALSE
	fi
	# remove header independent of success:
	# at kernel upgrade the script will be executed with failure to open
	# luks device (already opened) and you don't want to leave the header
	# on permanent storage
	rm -f /etc/remoteheader/header 2>/dev/null
fi