2 LUKS_RCSID='$Revision$ $Date:: $'
4 # geninitrd mod: cryptsetup luks
5 USE_LUKS=${USE_LUKS:-yes}
7 # true if root device is crypted with cryptsetup luks
8 # and we should init cryptsetup luks at boot
11 # device to use for name for cryptsetup luks
14 # setup geninitrd module
17 cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd)
19 if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then
24 # return true if node is cryptsetup luks encrypted
25 # @param string $node device node to be examined
31 if is_no "$USE_LUKS"; then
35 if [ ! -e "$node" ]; then
36 warn "is_luks(): node $node doesn't exist!"
40 local dev dm_status dm_name=${node#/dev/mapper/}
41 if [ "$node" = "$dm_name" ]; then
42 debug "is_luks: $node is not device mapper name"
46 dev=$(/sbin/cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
48 /sbin/cryptsetup isLuks $dev
51 # If luks partition was activated using old cryptsetup (at initrd level)
52 # then "device:" report could be missing from cryptsetup status above.
53 # Fallback to dmsetup report in such case.
54 dm_status=$(/sbin/dmsetup status --target crypt $dm_name 2>/dev/null)
55 if [ -n "$dm_status" ]; then
63 debug "is_luks: $node is cryptsetup luks"
65 debug "is_luks: $node is not cryptsetup luks"
70 # find modules for $devpath
71 # @param $devpath device to be examined
77 local name=${devpath#/dev/mapper/}
78 LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}')
79 if [ -z "$LUKSDEV" ]; then
80 # could be initialized by old cryptsetup, we need some magic
81 vars=$(dmsetup deps lolek_crypt | awk '/dependencies.*(.*)/ { left=index($0, "("); right=index($0, ")"); split(substr($0, left + 1, right - left - 1), A, " *, *") ; print "major=" A[1] "; minor=" A[2] }')
83 if [ -n "$major" -a -n "$minor" ] ; then
84 LUKSDEV=$(awk "\$1 == $major && \$2 == $minor { print \"/dev/\" \$4 }" /proc/partitions)
88 if [ -z "$LUKSDEV" ]; then
89 die "Lost cryptsetup device meanwhile?"
92 find_module "dm-crypt"
101 find_modules_for_devpath $LUKSDEV
105 # generate initrd fragment for cryptsetup luks init
108 if ! is_yes "$have_luks"; then
113 inst_exec $cryptsetup /bin/cryptsetup
118 # TODO: 'udevadm settle' is called by lukssetup, is udev optional?
120 debug "luks: process /etc/crypttab $LUKSDEV"
121 luks_crypttab $LUKSDEV
127 [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
130 # produce cryptsetup from $name from /etc/crypttab
134 # copy from /etc/rc.d/init.d/cryptsetup
135 local dst src key opt mode owner
137 while read dst src key opt; do
138 [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
139 [ "$src" != "$LUKSDEV" ] && [ "$(readlink -f $src)" != "$LUKSDEV" ] && continue
141 if [ -n "$key" -a "x$key" != "xnone" ]; then
142 if test -e "$key" ; then
143 mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
144 owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
145 if [ "$mode" != "------" ] && ! key_is_random "$key"; then
146 die "INSECURE MODE FOR $key"
148 if [ "$owner" != root ]; then
149 die "INSECURE OWNER FOR $key"
152 die "Key file for $dst not found"
158 if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
159 if key_is_random "$key"; then
160 die "$dst: LUKS requires non-random key, skipping"
162 if [ -n "$opt" ]; then
163 warn "$dst: options are invalid for LUKS partitions, ignoring them"
166 keyfile=/etc/.$dst.key
170 debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
172 # cryptsetup can be called twice and in case on crypt on lvm only second
173 # will succeed because there will be no src device in first cryptsetup call
174 # this can be called multiple times, before lvm and after lvm.
176 if [ \${luksdev##/dev/disk/by-uuid/} != \${luksdev} ]; then
177 src_uuid=\${luksdev##/dev/disk/by-uuid/}
178 while read x y z name; do
179 found_uuid=\$(cryptsetup luksUUID /dev/\${name} 2>/dev/null)
180 if [ "\$found_uuid" = "\$src_uuid" ]; then
184 done < /proc/partitions
187 if [ -e "\$luksdev" ]; then
188 crypt_status=\$(cryptsetup status '$dst')
189 if [ "\${crypt_status%%is inactive.}" != "\$crypt_status" ]; then
191 cryptsetup ${keyfile:+-d $keyfile} luksOpen "\$luksdev" '$dst' <&1
198 die "$dst: only LUKS encryption supported"