3 # geninitrd mod: cryptsetup luks
4 USE_LUKS=${USE_LUKS:-yes}
6 # true if root device is crypted with cryptsetup luks
7 # and we should init cryptsetup luks at boot
10 # device to use for name for cryptsetup luks
13 # setup geninitrd module
16 cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd)
18 if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then
23 # return true if node is cryptsetup luks encrypted
24 # @param string $node device node to be examined
30 if is_no "$USE_LUKS"; then
34 if [ ! -e "$node" ]; then
35 warn "is_luks(): node $node doesn't exist!"
39 local dev dm_name=${node#/dev/mapper/}
40 if [ "$node" = "$dm_name" ]; then
41 debug "is_luks: $node is not device mapper name"
45 dev=$(/sbin/cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
47 /sbin/cryptsetup isLuks $dev
54 debug "is_luks: $node is cryptsetup luks"
56 debug "is_luks: $node is not cryptsetup luks"
61 # find modules for $devpath
62 # @param $devpath device to be examined
68 local name=${devpath#/dev/mapper/}
69 LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}')
70 if [ -z "$LUKSDEV" ]; then
71 die "Lost cryptsetup device meanwhile?"
74 find_module "dm-crypt"
83 find_modules_for_devpath $LUKSDEV
87 # generate initrd fragment for cryptsetup luks init
90 if ! is_yes "$have_luks"; then
95 inst_exec $cryptsetup /bin/cryptsetup
100 # TODO: 'udevadm settle' is called by lukssetup, is udev optional?
102 debug "luks: process /etc/crypttab $LUKSDEV"
103 luks_crypttab $LUKSDEV
109 [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
112 # produce cryptsetup from $name from /etc/crypttab
116 # copy from /etc/rc.d/init.d/cryptsetup
117 local dst src key opt mode owner
119 while read dst src key opt; do
120 [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
121 [ "$src" != "$LUKSDEV" ] && continue
123 if [ -n "$key" -a "x$key" != "xnone" ]; then
124 if test -e "$key" ; then
125 mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
126 owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
127 if [ "$mode" != "------" ] && ! key_is_random "$key"; then
128 die "INSECURE MODE FOR $key"
130 if [ "$owner" != root ]; then
131 die "INSECURE OWNER FOR $key"
134 die "Key file for $dst not found"
140 if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
141 if key_is_random "$key"; then
142 die "$dst: LUKS requires non-random key, skipping"
144 if [ -n "$opt" ]; then
145 warn "$dst: options are invalid for LUKS partitions, ignoring them"
148 keyfile=/etc/.$dst.key
152 debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
154 # cryptsetup can be called twice and in case on crypt on lvm only second
155 # will succeed because there will be no src device in first cryptsetup call
156 # this can be called multiple times, before lvm and after lvm.
157 if [ -e "$src" ]; then
158 crypt_status=\$(cryptsetup status '$dst')
159 if [ "\${crypt_status%%is inactive.}" != "\$crypt_status" ]; then
161 cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1
168 die "$dst: only LUKS encryption supported"