mirror of https://github.com/sheychen290/usbcrypt
Initial version
parent
7204aa4527
commit
3e3c4a8adc
50
README.md
50
README.md
|
@ -1,2 +1,48 @@
|
|||
# usbcrypt
|
||||
[mkinitcpio] extention for encrypt hook
|
||||
# Usbcrypt
|
||||
|
||||
Usbcrypt add support for encrypted system with luks encrypted keyfile on external drive
|
||||
|
||||
### Prerequisities
|
||||
|
||||
[mkinitcpio](https://wiki.archlinux.org/index.php/Mkinitcpio#Installation)
|
||||
|
||||
### Installing
|
||||
|
||||
* On existing encrypt boot
|
||||
* sdX0 : key partition
|
||||
* sdY0 : luks drive
|
||||
|
||||
1. Create key on existing *small* partition
|
||||
```shell
|
||||
dd if=/dev/zero of=/dev/sdX0
|
||||
cryptsetup luksFormat /dev/sdX0
|
||||
cryptsetup open /dev/sdX0 key
|
||||
dd if=/dev/random of=/dev/mapper/key
|
||||
```
|
||||
|
||||
2. Add the key to LUKS
|
||||
```shell
|
||||
cryptsetup luksAddKey /dev/sdY0 /dev/mapper/key
|
||||
```
|
||||
|
||||
3. Install Usbcrypt
|
||||
```shell
|
||||
git clone https://github.com/sheychen290/usbcrypt.git
|
||||
cd usbcrypt
|
||||
cp install-usbcrypt /usr/lib/initcpio/install/usbcrypt
|
||||
cp hooks-usbcrypt /usr/lib/initcpio/hooks/usbcrypt
|
||||
```
|
||||
|
||||
4. Setup Usbcrypt
|
||||
* /etc/mkinitcpio.conf : Change encrypt hook to usbcrypt
|
||||
* mkinitcpio -P
|
||||
|
||||
5. Boot options
|
||||
```shell
|
||||
usbcryptdevice=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX:key
|
||||
```
|
||||
|
||||
6. Remove old passphrase
|
||||
```shell
|
||||
cryptsetup luksRemoveKey /dev/sdY0
|
||||
```
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
#!/bin/bash
|
||||
|
||||
run_hook() {
|
||||
my_power_off() {
|
||||
read -n 1 -s -p "Press any key to shutdown"
|
||||
poweroff -f
|
||||
}
|
||||
|
||||
modprobe -a -q dm-crypt >/dev/null 2>&1
|
||||
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
|
||||
|
||||
if [ -n "${usbcryptdevice}" ]; then
|
||||
DEPRECATED_CRYPT=0
|
||||
IFS=: read usbcryptdev usbcryptname usbcryptoptions <<EOF
|
||||
$usbcryptdevice
|
||||
EOF
|
||||
else
|
||||
DEPRECATED_CRYPT=1
|
||||
fi
|
||||
|
||||
if [ -n "${cryptdevice}" ]; then
|
||||
IFS=: read cryptdev cryptname cryptoptions <<EOF
|
||||
$cryptdevice
|
||||
EOF
|
||||
else
|
||||
DEPRECATED_CRYPT=1
|
||||
fi
|
||||
|
||||
if usbresolved=$(resolve_device "${usbcryptdev}" ${rootdelay}); then
|
||||
if cryptsetup isLuks ${usbresolved} >/dev/null 2>&1; then
|
||||
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
|
||||
err "Wrong boot option."
|
||||
my_power_off
|
||||
fi
|
||||
|
||||
#loop until we get a real password
|
||||
while ! eval cryptsetup open --type luks ${usbresolved} ${usbcryptname} ${CSQUIET}; do
|
||||
sleep 2;
|
||||
done
|
||||
if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
|
||||
if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
|
||||
if eval cryptsetup open --type luks ${resolved} ${cryptname} --key-file /dev/mapper/${usbcryptname} ${CSQUIET}; then
|
||||
cryptsetup close ${usbcryptname}
|
||||
else
|
||||
err "Wrong keyfile"
|
||||
my_power_off
|
||||
fi
|
||||
else
|
||||
err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume."
|
||||
my_power_off
|
||||
fi
|
||||
else
|
||||
err "Can't find ${cryptdev}."
|
||||
my_power_off
|
||||
fi
|
||||
else
|
||||
err "Failed to open encryption mapping: The device ${usbcryptdev} is not a LUKS volume."
|
||||
my_power_off
|
||||
fi
|
||||
else
|
||||
err "Can't find ${usbcryptdev}."
|
||||
my_power_off
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
#!/bin/bash
|
||||
|
||||
build() {
|
||||
local mod
|
||||
|
||||
add_module dm-crypt
|
||||
if [[ $CRYPTO_MODULES ]]; then
|
||||
for mod in $CRYPTO_MODULES; do
|
||||
add_module "$mod"
|
||||
done
|
||||
else
|
||||
add_all_modules '/crypto/'
|
||||
fi
|
||||
|
||||
add_binary "cryptsetup"
|
||||
add_binary "dmsetup"
|
||||
add_file "/usr/lib/udev/rules.d/10-dm.rules"
|
||||
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
|
||||
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
|
||||
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
|
||||
|
||||
add_runscript
|
||||
}
|
||||
|
||||
help() {
|
||||
cat <<HELPEOF
|
||||
This hook allows for an encrypted root device.
|
||||
HELPEOF
|
||||
}
|
||||
|
||||
# vim: set ft=sh ts=4 sw=4 et:
|
Loading…
Reference in New Issue