V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -863,7 +863,7 @@ user:
       shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
       sudo: false              # Whether the user can escalate to root using sudo.
       system: true             # Whether this is a low-UID system user (e.g., for automation).
-    specific: "ciss"
+    specific: "ciss"           # Also used for LUKS Header encryption.
 
   ##############################################################################################################################
   # Primary administrative user with full sudo access

func/cdi_3200_partitioning/3220_partition_encryption.sh

@@ -36,11 +36,14 @@ guard_sourcing
 #   VAR_LUKS_URL
 #   VAR_RECIPE_STRING
 #   VAR_SETUP_PART
+#   VAR_SETUP_PATH
 #   VAR_TEMP_PLAIN_NC_AUTH
+#   user_root_specific
 # Arguments:
 #   None
 # Returns:
 #   0: on success
+#   ERR_LUKS_HEADER_ENC: on failure
 #######################################
 partition_encryption() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -58,7 +61,7 @@ partition_encryption() {
               var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
               var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
               var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
-              var_luks_backup_file="" var_luks_backup_name=""
+              var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp=""
 
   declare -a  ary_luks_opts=()
 
@@ -173,20 +176,63 @@ partition_encryption() {
 
     if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then
 
+      case "${user_root_specific}" in
+
+        ciss)    var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc" ;;
+        physnet) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc" ;;
+        *)       do_log "error" "file_only" "3220() No valid PGP public key for LUKS Header encryption provided."; return "${ERR_LUKS_HEADER_ENC}" ;;
+
+      esac
+
       var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
-      var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak"
+      var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak.pgp"
-      cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"
+      var_luks_backup_pgp="${DIR_BAK}/luks_header_${var_dev}.bak.pgp"
-      do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
+
+      if cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"; then
+
+        do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
+
+      else
+
+        do_log "fatal" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header backup failed for: '${var_luks_backup_file}'."
+        return "${ERR_LUKS_HEADER_ENC}"
+
+      fi
+
+      if gpg --batch --yes --no-tty --compress-level 0 \
+        --recipient-file "${var_pgp_publickey}" \
+        --encrypt -o "${var_luks_backup_pgp}" -- "${var_luks_backup_file}"; then
+
+        do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header encrypted: '${var_luks_backup_pgp}'."
+
+        if command -v shred >/dev/null 2>&1; then
+
+          shred -u -- "${var_luks_backup_file}" || rm -f -- "${var_luks_backup_file}"
+
+        else
+
+          rm -f -- "${var_luks_backup_file}"
+
+        fi
+
+      else
+
+        do_log "fatal" "file_only" "3220() GPG encryption failed for '${var_luks_backup_file}'. Keeping plaintext for diagnostics."
+        return "${ERR_LUKS_HEADER_ENC}"
+
+      fi
 
       if [[ -n "${VAR_LUKS_URL}" ]]; then
 
         guard_trace on
 
-        if curl --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
+        if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
-          --upload-file "${var_luks_backup_file}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then
+          --upload-file "${var_luks_backup_pgp}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then
 
           do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
 
+          rm -f "${var_luks_backup_pgp}"
+
         else
 
           do_log "warn" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' failed."
@@ -195,8 +241,6 @@ partition_encryption() {
 
         guard_trace off
 
-        rm -f "${var_luks_backup_file}"
-
       fi
 
     fi

var/errors.var.sh

@@ -59,6 +59,7 @@ declare -girx ERR_VERIFY_VISUDO=214     # Error verification by 'visudo'.
 declare -girx ERR_VERIFY_LOGROTATE=213  # Error verification by 'logrotate'.
 declare -girx ERR_READ_AUTH_FILE=212    # Error reading the Luks Backup auth token file.
 declare -girx ERR_ACCOUNT_CREATE=211    # Error creating user accounts.
+declare -girx ERR_LUKS_HEADER_ENC=210   # Error encrypting LUKS Header backup.
 
 ### Definition of error trap vars.
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE