2 # geninitrd mod: cryptsetup luks
3 USE_LUKS=${USE_LUKS:-yes}
5 # true if root device is crypted with cryptsetup luks
6 # and we should init cryptsetup luks at boot
9 # device to use for name for cryptsetup luks
12 # setup geninitrd module
15 cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd)
17 if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then
22 # return true if node is cryptsetup luks encrypted
23 # @param string $node device node to be examined
29 if is_no "$USE_LUKS"; then
33 local dev dm_name=${node#/dev/mapper/}
34 if [ "$node" = "$dm_name" ]; then
35 verbose "is_luks: $node is not device mapper name"
39 dev=$(awk -vdm_name="$dm_name" '$1 == dm_name { print $2 }' /etc/crypttab)
41 /sbin/cryptsetup isLuks $dev
48 verbose "is_luks: $node is cryptsetup luks"
50 verbose "is_luks: $node is not cryptsetup luks"
55 # find modules for $devpath
56 # @param $devpath device to be examined
62 LUKSNAME=${devpath#/dev/mapper/}
64 find_module "dm-crypt"
71 dev=$(awk -vLUKSNAME="$LUKSNAME" '$1 == LUKSNAME { print $2 }' /etc/crypttab)
72 if [ -n "$dev" ]; then
73 find_modules_for_devpath $dev
76 die "Cannot find '$LUKSNAME' in /etc/crypttab"
81 # generate initrd fragment for cryptsetup luks init
84 if ! is_yes "$have_luks"; then
89 inst_exec $cryptsetup /bin/cryptsetup
94 # TODO: 'udevadm settle' is called by lukssetup, is udev optional?
96 verbose "luks: process /etc/crypttab $LUKSNAME"
97 luks_crypttab $LUKSNAME
103 [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
106 # produce cryptsetup from $name from /etc/crypttab
110 # copy from /etc/rc.d/init.d/cryptsetup
111 local dst src key opt mode owner
113 while read dst src key opt; do
114 [ "$dst" != "$LUKSNAME" ] && continue
116 if [ -n "$key" -a "x$key" != "xnone" ]; then
117 if test -e "$key" ; then
118 mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
119 owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
120 if [ "$mode" != "------" ] && ! key_is_random "$key"; then
121 die "INSECURE MODE FOR $key"
123 if [ "$owner" != root ]; then
124 die "INSECURE OWNER FOR $key"
127 die "Key file for $dst not found"
133 if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
134 if key_is_random "$key"; then
135 die "$dst: LUKS requires non-random key, skipping"
138 keyfile=/etc/.$dst.key
145 for option in $opt; do
147 discard|allow-discards)
148 crypttab_opt="$crypttab_opt --allow-discards"
151 warn "$dst: option \'$opt\' is invalid for LUKS partitions, ignored"
157 verbose "+ cryptsetup ${keyfile:+-d $keyfile} open --type luks $crypttab_opt '$src' '$dst'"
162 if [ "\$DEBUGINITRD" ]; then
163 cryptsetup_opt="--debug"
165 # cryptsetup can be called twice and in case on crypt on lvm only second
166 # will succeed because there will be no src device in first cryptsetup call
167 # this can be called multiple times, before lvm and after lvm.
169 if [ \${luksdev##/dev/disk/by-uuid/} != \${luksdev} ]; then
170 src_uuid=\${luksdev##/dev/disk/by-uuid/}
171 while read x y z name; do
172 found_uuid=\$(cryptsetup \$cryptsetup_opt luksUUID /dev/\${name} 2>/dev/null)
173 if [ "\$found_uuid" = "\$src_uuid" ]; then
177 done < /proc/partitions
180 if [ -e "\$luksdev" ]; then
181 crypt_status=\$(cryptsetup \$cryptsetup_opt status '$dst')
182 if [ "\${crypt_status%%is inactive.}" != "\$crypt_status" ]; then
184 cryptsetup \$cryptsetup_opt ${keyfile:+-d $keyfile} open --type luks $crypttab_opt "\$luksdev" '$dst' <&1
191 die "$dst: only LUKS encryption supported"