2 LUKS_RCSID='$Revision$ $Date:: $'
4 # geninitrd mod: cryptsetup luks
5 USE_LUKS=${USE_LUKS:-yes}
7 # true if root device is crypted with cryptsetup luks
8 # and we should init cryptsetup luks at boot
11 # device to use for name for cryptsetup luks
14 # setup geninitrd module
17 cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd)
19 if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then
24 # return true if node is cryptsetup luks encrypted
25 # @param string $node device node to be examined
31 if is_no "$USE_LUKS"; then
35 if [ ! -e "$node" ]; then
36 warn "is_luks(): node $node doesn't exist!"
40 local dev dm_status dm_name=${node#/dev/mapper/}
41 if [ "$node" = "$dm_name" ]; then
42 debug "is_luks: $node is not device mapper name"
46 dev=$(/sbin/cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
48 /sbin/cryptsetup isLuks $dev
51 # If luks partition was activated using old cryptsetup (at initrd level)
52 # then "device:" report could be missing from cryptsetup status above.
53 # Fallback to dmsetup report in such case.
54 dm_status=$(/sbin/dmsetup status --target crypt $dm_name 2>/dev/null)
55 if [ -n "$dm_status" ]; then
63 debug "is_luks: $node is cryptsetup luks"
65 debug "is_luks: $node is not cryptsetup luks"
70 # find modules for $devpath
71 # @param $devpath device to be examined
77 LUKSNAME=${devpath#/dev/mapper/}
79 find_module "dm-crypt"
86 dev=$(awk '$1 == "'"$LUKSNAME"'" { print $2 }' /etc/crypttab)
87 if [ -n "$dev" ] ; then
88 find_modules_for_devpath $dev
91 die "Cannot find '$LUKSNAME' in /etc/crypttab"
96 # generate initrd fragment for cryptsetup luks init
99 if ! is_yes "$have_luks"; then
104 inst_exec $cryptsetup /bin/cryptsetup
109 # TODO: 'udevadm settle' is called by lukssetup, is udev optional?
111 debug "luks: process /etc/crypttab $LUKSNAME"
112 luks_crypttab $LUKSNAME
118 [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
121 # produce cryptsetup from $name from /etc/crypttab
125 # copy from /etc/rc.d/init.d/cryptsetup
126 local dst src key opt mode owner
128 while read dst src key opt; do
129 [ "$dst" != "$LUKSNAME" ] && continue
131 if [ -n "$key" -a "x$key" != "xnone" ]; then
132 if test -e "$key" ; then
133 mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
134 owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
135 if [ "$mode" != "------" ] && ! key_is_random "$key"; then
136 die "INSECURE MODE FOR $key"
138 if [ "$owner" != root ]; then
139 die "INSECURE OWNER FOR $key"
142 die "Key file for $dst not found"
148 if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
149 if key_is_random "$key"; then
150 die "$dst: LUKS requires non-random key, skipping"
152 if [ -n "$opt" ]; then
153 warn "$dst: options are invalid for LUKS partitions, ignoring them"
156 keyfile=/etc/.$dst.key
160 debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
162 # cryptsetup can be called twice and in case on crypt on lvm only second
163 # will succeed because there will be no src device in first cryptsetup call
164 # this can be called multiple times, before lvm and after lvm.
166 if [ \${luksdev##/dev/disk/by-uuid/} != \${luksdev} ]; then
167 src_uuid=\${luksdev##/dev/disk/by-uuid/}
168 while read x y z name; do
169 found_uuid=\$(cryptsetup luksUUID /dev/\${name} 2>/dev/null)
170 if [ "\$found_uuid" = "\$src_uuid" ]; then
174 done < /proc/partitions
177 if [ -e "\$luksdev" ]; then
178 crypt_status=\$(cryptsetup status '$dst')
179 if [ "\${crypt_status%%is inactive.}" != "\$crypt_status" ]; then
181 cryptsetup ${keyfile:+-d $keyfile} luksOpen "\$luksdev" '$dst' <&1
188 die "$dst: only LUKS encryption supported"