Remoteheader script.sh

Aus codecivil
Zur Navigation springen Zur Suche springen

  1. !/bin/sh
    1. original file name decryptkeydevice_script.sh
    2. modified for use for detached header by Marco Kühnel <kuehnel@codecivil.de>
        1. original header:
  2. original file name crypto-usb-key.sh
  3. heavily modified and adapted for "decryptkeydevice" by Franco
      1. original header :
  4. Part of passwordless cryptofs setup in Debian Etch.
  5. See: http://wejn.org/how-to-make-passwordless-cryptsetup.html
  6. Author: Wejn <wejn at box dot cz>
  7. Updated by Rodolfo Garcia (kix) <kix at kix dot com>
  8. For multiple partitions
  9. http://www.kix.es/
  10. Updated by TJ <linux@tjworld.net> 7 July 2008
  11. For use with Ubuntu Hardy, usplash, automatic detection of USB devices,
  12. detection and examination of *all* partitions on the device (not just partition #1),
  13. automatic detection of partition type, refactored, commented, debugging code.
  14. Updated by Hendrik van Antwerpen <hendrik at van-antwerpen dot net> 3 Sept 2008
  15. For encrypted key device support, also added stty support for not
  16. showing your password in console mode.
  1. define counter-intuitive shell logic values (based on /bin/true & /bin/false)
  2. NB. use FALSE only to *set* something to false, but don't test for
  3. equality, because a program might return any non-zero on error
  1. Updated by Dominique Bellenger <dev at domesdomain dot de>
  2. for usage with Ubuntu 10.04 Lucid Lynx
  3. - Removed non working USB device check
  4. - changed vol_id to blkid, changed sed expression
  5. - changed TRUE and FALSE to be 1 and 0
  6. - changed usplash usage to plymouth usage
  7. - removed possibility to read from an encrypted device (why would I want to do this? The script is unnecessary if I have to type in a password)
      1. original header END
  1. read configuration settings

REMOTEHEADER_DISKID="" if [ -f /etc/remoteheader/remoteheader.conf ] ; then . /etc/remoteheader/remoteheader.conf fi

TRUE=1 FALSE=0

  1. set DEBUG=$TRUE to display debug messages, DEBUG=$FALSE to be quiet
  2. DEBUG=$TRUE

DEBUG=$FALSE

PLYMOUTH=$FALSE

  1. test for plymouth and if plymouth is running

if [ -x /bin/plymouth ] && plymouth --ping; then

       PLYMOUTH=$TRUE

fi

  1. is stty available? default false

STTY=$FALSE STTYCMD=false

  1. check for stty executable

if [ -x /bin/stty ]; then STTY=$TRUE STTYCMD=/bin/stty elif [ `(busybox stty >/dev/null 2>&1; echo $?)` -eq 0 ]; then STTY=$TRUE STTYCMD="busybox stty" fi

  1. print message to plymouth or stderr
  2. usage: msg "message" [switch]
  3. switch : switch used for echo to stderr (ignored for plymouth)
  4. when using plymouth the command will cause "message" to be
  5. printed according to the "plymouth message" definition.
  6. using the switch -n will allow echo to write multiple messages
  7. to the same line

msg () { if [ $# -gt 0 ]; then # handle multi-line messages echo $1 | while read LINE; do if [ $PLYMOUTH -eq $TRUE ]; then /bin/plymouth message --text="$1 $LINE" else # use stderr for all messages echo $LINE >&2 #echo $3 "$2" >&2 fi done fi }

dbg () { if [ $DEBUG -eq $TRUE ]; then msg "$@" fi }

  1. read password from console or with plymouth
  2. usage: readpass "prompt"

readpass () { if [ $# -gt 0 ]; then if [ $PLYMOUTH -eq $TRUE ]; then PASS=`/bin/plymouth ask-for-password --prompt="$1"` else [ $STTY -ne $TRUE ] && msg "WARNING stty not found, password will be visible" echo -n "$1" >&2 $STTYCMD -echo read -s PASS </dev/console >/dev/null [ $STTY -eq $TRUE ] && echo >&2 $STTYCMD echo fi fi echo -n "$PASS" }

  1. flag tracking header availability

OPENED=$FALSE

  1. remoteheader configured so try to find a header

if [ ! -z "$REMOTEHEADER_DISKID" ]; then dbg "Checking devices for decryption header ..." # Is the USB driver loaded? cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1 USBLOAD=0$? if [ $USBLOAD -gt 0 ]; then dbg "Loading driver 'usb_storage'" modprobe usb_storage >/dev/null 2>&1 fi # Is the mmc_block driver loaded? cat /proc/modules | busybox grep mmc >/dev/null 2>&1 MMCLOAD=0$? if [ $MMCLOAD -gt 0 ]; then dbg "Loading drivers for 'mmc'" modprobe mmc_core >/dev/null 2>&1 modprobe ricoh_mmc >/dev/null 2>&1 modprobe mmc_block >/dev/null 2>&1 modprobe sdhci >/dev/null 2>&1 fi

# give the system time to settle and open the devices sleep 5

for REMOTEHEADER_ID in $REMOTEHEADER_DISKID ; do REMOTEHEADER_FILE="/dev/disk/by-id/$REMOTEHEADER_ID" dbg "Trying $REMOTEHEADER_FILE ..." if [ -e $REMOTEHEADER_FILE ] ; then dbg " found $REMOTEHEADER_FILE ..." OPENED=$TRUE break fi REMOTEHEADER_FILE="" done fi

if [ $OPENED -eq $TRUE ]; then dbg "Copying header" /bin/dd if=$REMOTEHEADER_FILE of=/etc/remoteheader/header bs=$REMOTEHEADER_BLOCKSIZE skip=$REMOTEHEADER_SKIPBLOCKS count=$REMOTEHEADER_READBLOCKS 2>/dev/null && /sbin/cryptsetup luksOpen $REMOTEHEADER_DEVICENAME_ENCRYPTED --header /etc/remoteheader/header $REMOTEHEADER_DEVICENAME_DECRYPTED && /sbin/vgchange -ay if [ $? -eq 0 ] ; then dbg "Opened devices." else msg "FAILED to decrypt using '$REMOTEHEADER_FILE' ..." OPENED=$FALSE fi # remove header independent of success: # at kernel upgrade the script will be executed with failure to open # luks device (already opened) and you don't want to leave the header # on permanent storage rm -f /etc/remoteheader/header 2>/dev/null fi