3 # geninitrd mod: cryptsetup luks
4 USE_LUKS=${USE_LUKS:-yes}
6 # true if root device is crypted with cryptsetup luks
7 # and we should init cryptsetup luks at boot
10 # device to use for name for cryptsetup luks
13 # setup geninitrd module
16 cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd)
18 if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then
23 # return true if node is cryptsetup luks encrypted
24 # @param string $node device node to be examined
30 if is_no "$USE_LUKS"; then
34 if [ ! -e "$node" ]; then
35 warn "is_luks(): node $node doesn't exist!"
39 local dev dm_name=${node#/dev/mapper/}
40 if [ "$node" = "$dm_name" ]; then
41 debug "is_luks: $node is not device mapper name"
45 dev=$(/sbin/cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
46 /sbin/cryptsetup isLuks $dev
50 debug "is_luks: $node is cryptsetup luks"
52 debug "is_luks: $node is not cryptsetup luks"
57 # find modules for $devpath
58 # @param $devpath device to be examined
64 local name=${devpath#/dev/mapper/}
65 LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}')
66 if [ -z "$LUKSDEV" ]; then
67 die "Lost cryptsetup device meanwhile?"
70 find_module "dm-crypt"
79 find_modules_for_devpath $LUKSDEV
83 # generate initrd fragment for cryptsetup luks init
87 inst_exec $cryptsetup /bin/cryptsetup
92 # TODO: 'udevadm settle' is called by lukssetup, is udev optional?
94 debug "luks: process /etc/crypttab $LUKSDEV"
95 luks_crypttab $LUKSDEV
101 [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
104 # produce cryptsetup from $name from /etc/crypttab
108 # copy from /etc/rc.d/init.d/cryptsetup
109 local dst src key opt mode owner
111 while read dst src key opt; do
112 [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
113 [ "$src" != "$LUKSDEV" ] && continue
115 if [ -n "$key" -a "x$key" != "xnone" ]; then
116 if test -e "$key" ; then
117 mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
118 owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
119 if [ "$mode" != "------" ] && ! key_is_random "$key"; then
120 die "INSECURE MODE FOR $key"
122 if [ "$owner" != root ]; then
123 die "INSECURE OWNER FOR $key"
126 die "Key file for $dst not found"
132 if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
133 if key_is_random "$key"; then
134 die "$dst: LUKS requires non-random key, skipping"
136 if [ -n "$opt" ]; then
137 warn "$dst: options are invalid for LUKS partitions, ignoring them"
140 keyfile=/etc/.$dst.key
144 debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
146 cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1
151 die "$dst: only LUKS encryption supported"