V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/partitioning.yaml

@@ -33,8 +33,9 @@ recipe:
         threads: 1             # Set the parallel cost for PBKDF (number of threads, up to 4).
         time: 256              # The number of milliseconds to spend with PBKDF passphrase processing.
       luks_backup: true        # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
-                               # luks_backup_url: "https://cloud.e2ee.li/"
+                               # luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
                                # Also provide the cloud access token and access passwords via ./.preseed/password_luks_backup.txt
+                               # Yet Nextcloud only is supported.
       luks_backup_url: "https://cloud.e2ee.li/"
       name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
       nuke: true               # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command.
@@ -50,7 +51,7 @@ recipe:
       table: "gpt"             # MUST be "gpt" for "UEFI" || "msdos":
       syntax: true             # This is set to "false" by default, otherwise if the recipe is tested by the authors to "true".
       ### Version of the specific recipe.
-      version: "1.2.0"
+      version: "1.3.0"
     dev:
       sda:
         1:                     # MUST be always 'ESP' for [UEFI|GPT] or 'BIOS' for [BIOS|GPT].

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -43,11 +43,13 @@ yaml_reader() {
   declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
               VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
               VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
-              VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true"
+              VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true" VAR_LUKS_BACKUP="false" \
+              VAR_LUKS_URL=""
   ### Declare and substitute input files.
   declare -r  var_if="${VAR_PRESEED}"
   declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
-              recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var=""
+              recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var="" \
+              recipe_luks_var="" recipe_luks_url=""
 
   ### Read "${var_if}" line by line.
   while IFS= read -r var_line; do
@@ -183,6 +185,14 @@ END { print max }
   recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
   VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}"
 
+  ### Extract the chosen LUKS Backup strategy.
+  recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
+  # shellcheck disable=SC2034
+  VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
+  recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
+  # shellcheck disable=SC2034
+  VAR_LUKS_URL="${!recipe_luks_url,,}"
+
   ### Extract the chosen Nuke mechanism.
   recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
   # shellcheck disable=SC2034

func/cdi_3200_partitioning/3220_partition_encryption.sh

@@ -10,8 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# TODO: LUKS Header Cloud Backup
-
 guard_sourcing
 
 #######################################
@@ -27,14 +25,19 @@ guard_sourcing
 #   HMP_PATH_ENCLABEL
 #   HMP_PATH_FSUUID
 #   HMP_PATH_LUKSUUID
+#   VAR_CRYPT_BOOT
 #   VAR_CRYPT_RECOVERY
 #   VAR_CRYPT_ROOT
+#   VAR_FINAL_FQDN
 #   VAR_ITER_TIME
 #   VAR_KDF_ITERATIONS
 #   VAR_KDF_MEMORY
 #   VAR_KDF_THREADS
+#   VAR_LUKS_BACKUP
+#   VAR_LUKS_URL
 #   VAR_RECIPE_STRING
 #   VAR_SETUP_PART
+#   VAR_TEMP_PLAIN_NC_AUTH
 # Arguments:
 #   None
 # Returns:
@@ -42,8 +45,8 @@ guard_sourcing
 #######################################
 partition_encryption() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare -Ag HMP_PATH_LUKSUUID      # Used in: 3290() - [Mount Path:LUKS UUID].
+  declare -Ag HMP_PATH_LUKSUUID # Used in: 3290() - [Mount Path:LUKS UUID].
-                                     # Used in: 4210() - [Mount Path:LUKS UUID].
+      # Used in: 4210() - [Mount Path:LUKS UUID].
   declare -Ag HMP_PATH_FSUUID        # Used in: 3240() - [Mount Path:Filesystem UUID].
                                      # Used in: 3290() - [Mount Path:Filesystem UUID].
                                      # Used in: 4200() - [Mount Path:Filesystem UUID].
@@ -60,10 +63,18 @@ partition_encryption() {
               var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
               var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
               var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
-              var_fs_uuid=""
+              var_fs_uuid="" var_luks_backup_file="" var_luks_backup_name=""
 
   declare -a  ary_luks_opts=()
 
+  if [[ -n "${VAR_LUKS_URL}" ]]; then
+
+    VAR_LUKS_URL=${VAR_LUKS_URL%/}
+    read_luks_backup_token
+    do_log "debug" "file_only" "3220() Command: [read_luks_backup_token]"
+
+  fi
+
   for var_encryption_path in "${ARY_CRYPT_MOUNT_PATHS[@]}"; do
 
     ### Initialize Arrays and Variables
@@ -174,10 +185,37 @@ partition_encryption() {
 
     fi
 
-    cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}.bak" "/dev/${var_dev}"
+    if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then
-    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}.bak'."
 
-    ### Opening encrypted container.
+      var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
+      var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak"
+      cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"
+      do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
+
+      if [[ -n "${VAR_LUKS_URL}" ]]; then
+
+        guard_trace on
+
+        if curl --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
+          --upload-file "${var_luks_backup_file}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then
+
+          do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
+
+        else
+
+          do_log "warn" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' failed."
+
+        fi
+
+        guard_trace off
+
+        rm -f "${var_luks_backup_file}"
+
+      fi
+
+    fi
+
+    ### Opening the encrypted container.
     if [[ "${var_encryption_path,,}" == "/boot" ]]; then
       cryptsetup luksOpen "/dev/${var_dev}" \
         --key-file="${DIR_CNF}/password_luks_boot.txt" \
@@ -207,9 +245,43 @@ partition_encryption() {
 
   done
 
+  [[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH
+
   guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f partition_encryption
+
+#######################################
+# Reads the Nextcloud auth token from '${DIR_CNF}/password_luks_backup.txt' into VAR_TEMP_PLAIN_NC_AUTH
+# Globals:
+#   DIR_CNF
+#   VAR_TEMP_PLAIN_NC_AUTH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_READ_AUTH_FILE: on failure
+#######################################
+read_luks_backup_token(){
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_luks_backup_auth="${DIR_CNF}/password_luks_backup.txt"
+  declare -g VAR_TEMP_PLAIN_NC_AUTH=""
+
+  guard_trace on
+
+  if ! read_password_file "${var_luks_backup_auth}" VAR_TEMP_PLAIN_NC_AUTH; then
+
+    return "${ERR_READ_AUTH_FILE}"
+
+  fi
+
+  guard_trace off
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f read_luks_backup_token
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4300_network/4330_installation_ssh.sh

@@ -53,10 +53,28 @@ installation_ssh() {
 
   rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
 
-  # shellcheck disable=SC2312
+  if [[ -f "${TARGET}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
-  chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+
-  # shellcheck disable=SC2312
+    chroot_script "${TARGET}" "
-  chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key"
+
+    chroot_script "${TARGET}" "
+      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key"
+
+    chroot_script "${TARGET}" "
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub"
+
+    chroot_script "${TARGET}" "
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub"
+
+  else
+
+    # shellcheck disable=SC2312
+    chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+    # shellcheck disable=SC2312
+    chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+
+  fi
 
   mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh"
   cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"

lib/cdi_0100_arg/0104_arg_passphrase_modules.sh

@@ -13,15 +13,14 @@
 guard_sourcing
 
 #######################################
-# Generates salt.
+# Generates a 16-byte salt.
 # Globals:
-#   ERR_GENERATE_SALT
 #   NL
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_GENERATE_SALT
+#   ERR_GENERATE_SALT: on failure
 #######################################
 generate_salt() {
   declare var_salt=""
@@ -38,18 +37,20 @@ generate_salt() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_salt
 
 #######################################
 # Reads and validates a secure one-line password file.
 # Globals:
-#   ERR_READ_PASS_FILE
 #   VAR_DEBUG_TRACE
 # Arguments:
 #   1: Path to password file
 #   2: Name of target variable (via nameref)
 # Returns:
 #   0: on success
-#   ERR_READ_PASS_FILE
+#   ERR_READ_PASS_FILE: on failure
 #######################################
 read_password_file() {
   declare -r var_input_file="${1}"
@@ -106,4 +107,7 @@ read_password_file() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f read_password_file
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/errors.var.sh

@@ -57,6 +57,7 @@ declare -girx ERR_CHROOT_LOGGER=216     # An error occurred while preparing the
 declare -girx ERR_READ_SEED_FILE=215    # Error reading the mfa TOTP seed file.
 declare -girx ERR_VERIFY_VISUDO=214     # Error verification by 'visudo'.
 declare -girx ERR_VERIFY_LOGROTATE=213  # Error verification by 'logrotate'.
+declare -girx ERR_READ_AUTH_FILE=212    # Error reading the Luks Backup auth token file.
 
 ### Definition of error trap vars.
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE