diff --git a/README.md b/README.md index 598d046..d687eed 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,48 @@ -# usbcrypt -[mkinitcpio] extention for encrypt hook +# Usbcrypt + +Usbcrypt add support for encrypted system with luks encrypted keyfile on external drive + +### Prerequisities + +[mkinitcpio](https://wiki.archlinux.org/index.php/Mkinitcpio#Installation) + +### Installing + +* On existing encrypt boot +* sdX0 : key partition +* sdY0 : luks drive + +1. Create key on existing *small* partition +```shell +dd if=/dev/zero of=/dev/sdX0 +cryptsetup luksFormat /dev/sdX0 +cryptsetup open /dev/sdX0 key +dd if=/dev/random of=/dev/mapper/key +``` + +2. Add the key to LUKS +```shell +cryptsetup luksAddKey /dev/sdY0 /dev/mapper/key +``` + +3. Install Usbcrypt +```shell +git clone https://github.com/sheychen290/usbcrypt.git +cd usbcrypt +cp install-usbcrypt /usr/lib/initcpio/install/usbcrypt +cp hooks-usbcrypt /usr/lib/initcpio/hooks/usbcrypt +``` + +4. Setup Usbcrypt +* /etc/mkinitcpio.conf : Change encrypt hook to usbcrypt +* mkinitcpio -P + +5. Boot options +```shell +usbcryptdevice=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX:key +``` + +6. Remove old passphrase +```shell +cryptsetup luksRemoveKey /dev/sdY0 +``` diff --git a/hooks-usbcrypt b/hooks-usbcrypt new file mode 100755 index 0000000..46390cd --- /dev/null +++ b/hooks-usbcrypt @@ -0,0 +1,66 @@ +#!/bin/bash + +run_hook() { + my_power_off() { + read -n 1 -s -p "Press any key to shutdown" + poweroff -f + } + + modprobe -a -q dm-crypt >/dev/null 2>&1 + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" + + if [ -n "${usbcryptdevice}" ]; then + DEPRECATED_CRYPT=0 + IFS=: read usbcryptdev usbcryptname usbcryptoptions </dev/null 2>&1; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + err "Wrong boot option." + my_power_off + fi + + #loop until we get a real password + while ! eval cryptsetup open --type luks ${usbresolved} ${usbcryptname} ${CSQUIET}; do + sleep 2; + done + if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then + if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + if eval cryptsetup open --type luks ${resolved} ${cryptname} --key-file /dev/mapper/${usbcryptname} ${CSQUIET}; then + cryptsetup close ${usbcryptname} + else + err "Wrong keyfile" + my_power_off + fi + else + err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume." + my_power_off + fi + else + err "Can't find ${cryptdev}." + my_power_off + fi + else + err "Failed to open encryption mapping: The device ${usbcryptdev} is not a LUKS volume." + my_power_off + fi + else + err "Can't find ${usbcryptdev}." + my_power_off + fi +} + + diff --git a/install-usbcrypt b/install-usbcrypt new file mode 100755 index 0000000..da84893 --- /dev/null +++ b/install-usbcrypt @@ -0,0 +1,31 @@ +#!/bin/bash + +build() { + local mod + + add_module dm-crypt + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules '/crypto/' + fi + + add_binary "cryptsetup" + add_binary "dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + + add_runscript +} + +help() { + cat <