Initial version

master
sheychen 2017-03-26 21:53:30 +02:00
parent 7204aa4527
commit 3e3c4a8adc
3 changed files with 145 additions and 2 deletions

View File

@ -1,2 +1,48 @@
# usbcrypt
[mkinitcpio] extention for encrypt hook
# Usbcrypt
Usbcrypt add support for encrypted system with luks encrypted keyfile on external drive
### Prerequisities
[mkinitcpio](https://wiki.archlinux.org/index.php/Mkinitcpio#Installation)
### Installing
* On existing encrypt boot
* sdX0 : key partition
* sdY0 : luks drive
1. Create key on existing *small* partition
```shell
dd if=/dev/zero of=/dev/sdX0
cryptsetup luksFormat /dev/sdX0
cryptsetup open /dev/sdX0 key
dd if=/dev/random of=/dev/mapper/key
```
2. Add the key to LUKS
```shell
cryptsetup luksAddKey /dev/sdY0 /dev/mapper/key
```
3. Install Usbcrypt
```shell
git clone https://github.com/sheychen290/usbcrypt.git
cd usbcrypt
cp install-usbcrypt /usr/lib/initcpio/install/usbcrypt
cp hooks-usbcrypt /usr/lib/initcpio/hooks/usbcrypt
```
4. Setup Usbcrypt
* /etc/mkinitcpio.conf : Change encrypt hook to usbcrypt
* mkinitcpio -P
5. Boot options
```shell
usbcryptdevice=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX:key
```
6. Remove old passphrase
```shell
cryptsetup luksRemoveKey /dev/sdY0
```

66
hooks-usbcrypt Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
run_hook() {
my_power_off() {
read -n 1 -s -p "Press any key to shutdown"
poweroff -f
}
modprobe -a -q dm-crypt >/dev/null 2>&1
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
if [ -n "${usbcryptdevice}" ]; then
DEPRECATED_CRYPT=0
IFS=: read usbcryptdev usbcryptname usbcryptoptions <<EOF
$usbcryptdevice
EOF
else
DEPRECATED_CRYPT=1
fi
if [ -n "${cryptdevice}" ]; then
IFS=: read cryptdev cryptname cryptoptions <<EOF
$cryptdevice
EOF
else
DEPRECATED_CRYPT=1
fi
if usbresolved=$(resolve_device "${usbcryptdev}" ${rootdelay}); then
if cryptsetup isLuks ${usbresolved} >/dev/null 2>&1; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
err "Wrong boot option."
my_power_off
fi
#loop until we get a real password
while ! eval cryptsetup open --type luks ${usbresolved} ${usbcryptname} ${CSQUIET}; do
sleep 2;
done
if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
if eval cryptsetup open --type luks ${resolved} ${cryptname} --key-file /dev/mapper/${usbcryptname} ${CSQUIET}; then
cryptsetup close ${usbcryptname}
else
err "Wrong keyfile"
my_power_off
fi
else
err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume."
my_power_off
fi
else
err "Can't find ${cryptdev}."
my_power_off
fi
else
err "Failed to open encryption mapping: The device ${usbcryptdev} is not a LUKS volume."
my_power_off
fi
else
err "Can't find ${usbcryptdev}."
my_power_off
fi
}

31
install-usbcrypt Executable file
View File

@ -0,0 +1,31 @@
#!/bin/bash
build() {
local mod
add_module dm-crypt
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules '/crypto/'
fi
add_binary "cryptsetup"
add_binary "dmsetup"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_runscript
}
help() {
cat <<HELPEOF
This hook allows for an encrypted root device.
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et: