forked from fuhry/initramfs-scencrypt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscencrypt-install
75 lines (62 loc) · 2.56 KB
/
scencrypt-install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/bin/bash
build() {
local mod
add_module dm-crypt
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules '/crypto/'
fi
if [ -d /etc/initcpio/gpg ]; then
rm -rf /etc/initcpio/gpg
fi
mkdir -p /etc/initcpio/gpg
chmod 0700 /etc/initcpio/gpg
echo "pinentry-program /usr/bin/pinentry-tty" > /etc/initcpio/gpg/gpg-agent.conf
add_binary "cryptsetup"
add_binary "dmsetup"
add_binary "gpg"
add_binary "gpg-agent"
add_binary "pinentry-tty"
add_binary "pcscd"
add_binary "/usr/lib/gnupg/scdaemon"
add_file "/etc/initcpio/gpg/gpg-agent.conf"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_file "/etc/crypttab"
sed -re 's;#.*$;;g' -e '/^[ \t]*$/ d' /etc/crypttab | awk '{print $3;}' | \
while read f; do
if [ "${f:0:1}" = "/" -a -f "$f" ]; then
add_file "$f"
keyid=($(file $f | egrep -o '[A-F0-9]{8}' | sed -re 's;([0-9A-F]{2});\1 ;g'))
keyid=${keyid[3]}${keyid[2]}${keyid[1]}${keyid[0]}${keyid[7]}${keyid[6]}${keyid[5]}${keyid[4]}
gpg --homedir /root/.gnupg --export-secret-keys 0x${keyid} | gpg --homedir /etc/initcpio/gpg --import
fi
done
add_file "/etc/initcpio/gpg/pubring.kbx"
#for f in /root/.gnupg/private-keys-v1.d/*.key; do
# add_file "$f" "/etc/initcpio/gpg/${f#/root/.gnupg/}"
#done
add_runscript
}
help() {
cat <<HELPEOF
This hook allows for an encrypted root device. Users should specify the device
to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
where 'device' is the path to the raw device, and 'dmname' is the name given to
the device after unlocking, and will be available as /dev/mapper/dmname.
For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
the kernel cmdline, where 'device' represents the raw block device where the key
exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
the absolute path of the keyfile within the device.
Without specifying a keyfile, you will be prompted for the password at runtime.
This means you must have a keyboard available to input it, and you may need
the keymap hook as well to ensure that the keyboard is using the layout you
expect.
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et: