msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m6s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-26 17:19:26 +00:00
parent 893740c2bf
commit 25e230ace4
8 changed files with 36 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.preseed/partitioning.yaml
View File

@@ -35,7 +35,7 @@ recipe:
luks_backup: true # Specify if LUKS Header backups should be created. If so, provide an external backup URL: luks_backup: true # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
# luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup. # luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
# Also provide the cloud access token and access passwords via # Also provide the cloud access token and access passwords via
# ./.preseed/password_luks_backup.txt. Yet Nextcloud only is supported. # ./.preseed/SECRETS.yaml. Yet Nextcloud only is supported.
luks_backup_url: "https://cloud.e2ee.li/" luks_backup_url: "https://cloud.e2ee.li/"
luks_backup_pgp: "ciss" # Specify the trigger for use of the LUKS Header backup encryption key. luks_backup_pgp: "ciss" # Specify the trigger for use of the LUKS Header backup encryption key.
# Allowed values are: 'ciss', and 'physnet'. MUST be provided. # Allowed values are: 'ciss', and 'physnet'. MUST be provided.

1
.preseed/password_luks_backup.txt
View File

@@ -1 +0,0 @@
SJF3kOdvm0o9xwT:VdmXE^2w^VTFJeJPdHkd7qNwQVf^7SDmcyZKjcfadS

1
.preseed/password_luks_boot.txt
View File

@@ -1 +0,0 @@
Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!

1
.preseed/password_luks_common.txt
View File

@@ -1 +0,0 @@
Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!

1
.preseed/password_luks_nuke.txt
View File

@@ -1 +0,0 @@
THIS_IS_THE_NUKE_PASSWORD!

11
func/cdi_1250_yaml/1257_yaml_xnuke.sh
View File

@@ -25,7 +25,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# ERR_GENERATE_SALT: on failure # ERR_GENERATE_SALT: on failure
####################################### #######################################
nuke_passphrase() { nuke_passphrase() {
#guard_trace on guard_trace on
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare var_nuke_pwd="${CISS_SECRET_LUKS_NUKE}" declare var_nuke_pwd="${CISS_SECRET_LUKS_NUKE}"
@@ -54,19 +54,14 @@ nuke_passphrase() {
var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_nuke_pwd}") var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_nuke_pwd}")
# shellcheck disable=SC2034
declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}" declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
echo "Inside 1257"
echo "CISS_SECRET_LUKS_NUKE: ${CISS_SECRET_LUKS_NUKE}"
unset var_temp_nuke_hash var_nuke_pwd CISS_SECRET_LUKS_NUKE unset var_temp_nuke_hash var_nuke_pwd CISS_SECRET_LUKS_NUKE
do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]" do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"
#guard_trace off guard_trace off
echo "Inside 1257"
sleep 60
guard_dir; return 0 guard_dir; return 0
} }

5
func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
View File

@@ -27,7 +27,8 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# 0: on success # 0: on success
####################################### #######################################
benchmarking_encryption() { benchmarking_encryption() {
declare var_result="" ### Declare Arrays, HashMaps, and Variables.
declare var_result=""
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -girx VAR_KDF_THREADS=$(yq_val ".recipe.${VAR_RECIPE_STRING}.control.kdf.threads" "${VAR_SETUP_PART}") declare -girx VAR_KDF_THREADS=$(yq_val ".recipe.${VAR_RECIPE_STRING}.control.kdf.threads" "${VAR_SETUP_PART}")
# shellcheck disable=SC2155 # shellcheck disable=SC2155
@@ -37,7 +38,7 @@ benchmarking_encryption() {
sync sync
echo "BENCHMARK CRYPTSETUP ARGON2ID KDF PARAMETER - DROPPING PAGES ..." echo "BENCHMARK CRYPTSETUP ARGON2ID KDF PARAMETER - DROPPING PAGES ..."
echo 3 >| /proc/sys/vm/drop_caches echo 3 >| /proc/sys/vm/drop_caches || true
# shellcheck disable=SC2312 # shellcheck disable=SC2312
var_result=$(cryptsetup benchmark --pbkdf argon2id --iter-time "${VAR_ITER_TIME:-3000}" --pbkdf-parallel "${VAR_KDF_THREADS:-1}" 2>/dev/null \ var_result=$(cryptsetup benchmark --pbkdf argon2id --iter-time "${VAR_ITER_TIME:-3000}" --pbkdf-parallel "${VAR_KDF_THREADS:-1}" 2>/dev/null \

67
func/cdi_3200_partitioning/3220_partition_encryption.sh
View File

@@ -16,6 +16,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'. # Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'.
# Globals: # Globals:
# ARY_CRYPT_MOUNT_PATHS # ARY_CRYPT_MOUNT_PATHS
# CISS_SECRET_LUKS_BACKUP
# CISS_SECRET_LUKS_BOOT
# CISS_SECRET_LUKS_COMMON
# DIR_BAK # DIR_BAK
# DIR_CNF # DIR_CNF
# DIR_LOG # DIR_LOG
@@ -38,7 +41,6 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# VAR_RECIPE_STRING # VAR_RECIPE_STRING
# VAR_SETUP_PART # VAR_SETUP_PART
# VAR_SETUP_PATH # VAR_SETUP_PATH
# VAR_TEMP_PLAIN_NC_AUTH
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -61,15 +63,27 @@ partition_encryption() {
var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \ var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \ var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \ var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp="" var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp="" \
var_temp_plain_nc_auth=""
declare -a ary_luks_opts=() declare -a ary_luks_opts=()
guard_trace on
printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt"
printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt"
unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON
guard_trace on
if [[ -n "${VAR_LUKS_URL}" ]]; then if [[ -n "${VAR_LUKS_URL}" ]]; then
VAR_LUKS_URL=${VAR_LUKS_URL%/} VAR_LUKS_URL=${VAR_LUKS_URL%/}
read_luks_backup_token
do_log "debug" "file_only" "3220() Command: [read_luks_backup_token]" guard_trace on
var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}"
unset CISS_SECRET_LUKS_BACKUP
guard_trace on
do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set."
fi fi
@@ -176,13 +190,17 @@ partition_encryption() {
### Opening the encrypted container. ### Opening the encrypted container.
if [[ "${var_encryption_path,,}" == "/boot" ]]; then if [[ "${var_encryption_path,,}" == "/boot" ]]; then
cryptsetup luksOpen "/dev/${var_dev}" \ cryptsetup luksOpen "/dev/${var_dev}" \
--key-file="${DIR_CNF}/password_luks_boot.txt" \ --key-file="${DIR_CNF}/password_luks_boot.txt" \
"${var_encryption_label}" "${var_encryption_label}"
else else
cryptsetup luksOpen "/dev/${var_dev}" \ cryptsetup luksOpen "/dev/${var_dev}" \
--key-file="${DIR_CNF}/password_luks_common.txt" \ --key-file="${DIR_CNF}/password_luks_common.txt" \
"${var_encryption_label}" "${var_encryption_label}"
fi fi
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'." do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
@@ -257,7 +275,7 @@ partition_encryption() {
guard_trace on guard_trace on
if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \ if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
--upload-file "${var_luks_backup_pgp}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then --upload-file "${var_luks_backup_pgp}" --user "${var_temp_plain_nc_auth}" > /dev/null 2>&1; then
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful." do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
@@ -277,43 +295,16 @@ partition_encryption() {
done done
[[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH guard_trace on
[[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth
guard_trace off
ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt"
ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt"
guard_dir; return 0 guard_dir; return 0
} }
### Prevents accidental 'unset -f'. ### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
readonly -f partition_encryption readonly -f partition_encryption
#######################################
# Reads the Nextcloud auth token from '${DIR_CNF}/password_luks_backup.txt' into VAR_TEMP_PLAIN_NC_AUTH
# Globals:
# DIR_CNF
# VAR_TEMP_PLAIN_NC_AUTH
# Arguments:
# None
# Returns:
# 0: on success
# ERR_READ_AUTH_FILE: on failure
#######################################
read_luks_backup_token(){
### Declare Arrays, HashMaps, and Variables.
declare -r var_luks_backup_auth="${DIR_CNF}/password_luks_backup.txt"
declare -g VAR_TEMP_PLAIN_NC_AUTH=""
guard_trace on
if ! read_password_file "${var_luks_backup_auth}" VAR_TEMP_PLAIN_NC_AUTH; then
return "${ERR_READ_AUTH_FILE}"
fi
guard_trace off
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f read_luks_backup_token
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh