V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-19 23:45:45 +02:00
parent c6c12c4bde
commit 3983b149e6
16 changed files with 666 additions and 107 deletions
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -28,15 +28,35 @@
 ### PRELIMINARY CHECKS
 [ -z "${BASH_VERSINFO[0]}" ] && {
-  . ./var/errors.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
+  . ./meta_loader_early.sh
  printf "%s❌ Please make sure you are using 'bash'! Bye... %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
  exit "${ERR_UNSUPPORTED_BASH}"
  }
 [[ ${EUID} -ne 0 ]] && {
-  . ./var/errors.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_USER_IS_NOT_ROOT}"; }
+  . ./meta_loader_early.sh
  printf "%s❌ Please make sure you are 'root'! Bye... %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
  exit "${ERR_USER_IS_NOT_ROOT}"
  }
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
-  . ./var/errors.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
+  . ./meta_loader_early.sh
  printf "%s❌ Please make sure you are calling the script without leading 'sh'! Bye... %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
  exit "${ERR_UNSUPPORTED_BASH}"
  }
 [[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
-  . ./var/errors.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
+  . ./meta_loader_early.sh
  printf "%s❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... %s%s" "${C_RED}" "${BASH_VERSION}" "${C_RES}" "${NL}" >&2
  exit "${ERR_UNSUPPORTED_BASH}"
  }
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
-  . ./var/errors.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
+  . ./meta_loader_early.sh
  printf "%s❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... %s%s" "${C_RED}" "${BASH_VERSION}" "${C_RES}" "${NL}" >&2
  exit "${ERR_UNSUPPORTED_BASH}"
  }
 [[ ${#} -eq 0 ]] && {
  . ./lib/0000_usage.sh; usage >&2; exit 1; }
@@ -67,17 +87,17 @@ pre_scan_debug "$@"
 ### ADVISORY LOCK
 exec 127>/var/lock/ciss_debian_installer.lock || {
-  printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
+  printf "%s❌ Cannot open lockfile for writing! Bye... %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
  exit "${ERR_FLOCK_PROTECTED}"
 }
 if ! flock -x -n 127; then
-  printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
+  printf "%s❌ Another instance is running! Bye...%s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
  exit "${ERR_FLOCK_COLLISION}"
 fi
 ### SOURCING
-[[ "${VAR_SETUP}" == true ]] && {
+[[ "${VAR_SETUP}" == "true" ]] && {
  ### SOURCING BASH OPTIONS
  . ./var/bash.var.sh
  ### SOURCING FUNCTIONS
@@ -99,7 +119,7 @@ gen_dir_files
 ### Dialog Output for Initialization
-if ! $VAR_AUTO_INSTALL; then . ./lib/0200_dialog_helper.sh && dialog_gauge; fi
+if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_gauge; fi
--- a/func/1250_yaml_parser.sh
+++ b/func/1250_yaml_parser.sh
@@ -13,8 +13,9 @@
 guard_sourcing
 #######################################
-# Parsing './.preseed/preseed.yaml'.
+# Parsing './.preseed/preseed.yaml' and './.preseed/partitioning.yaml'.
 # Globals:
 #   ARY_BOOTPARAM
 #   ARY_NTPSRVR
 #   ARY_PACKAGES
 #   DIR_CNF
@@ -30,7 +31,7 @@ yaml_parser() {
  yq -o=shell "${DIR_TMP}/combined.yaml" >| "${VAR_PRESEED}"
-  declare -agx ARY_BOOTPARAM ARY_NTPSRVR ARY_PACKAGES
+  declare -agx ARY_BOOTPARAM=() ARY_NTPSRVR=() ARY_PACKAGES=()
  declare var_key var_value
  while IFS='=' read -r var_key var_value; do
--- a/func/3220_partition_encryption.sh
+++ b/func/3220_partition_encryption.sh
@@ -121,19 +121,6 @@ partition_encryption() {
      fi
      if [[ "${var_encryption_nuke,,}" == "true" ]]; then
        cryptsetup luksAddKey \
          --key-file="${DIR_CNF}/password.txt" \
          --new-keyfile="${DIR_CNF}/password_nuke.txt" \
          --new-key-slot 31 \
          --batch-mode --verbose \
          "/dev/${var_dev}${var_part}"
          do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' 'Nuke-Key' added."
      fi
      cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak" "/dev/${var_dev}${var_part}"
      do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
--- a/func/4130_setup_network.sh
+++ b/func/4130_setup_network.sh
@@ -58,16 +58,16 @@ setup_network() {
  declare -a ary_ipv4_ns ary_ipv6_ns
  ary_ipv4_ns+=("${network_static_ipv4nameserver_0}")
-  [[ -n "${network_static_ipv4nameserver_1}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_1}")
+  [[ -v "${network_static_ipv4nameserver_1}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_1}")
-  [[ -n "${network_static_ipv4nameserver_2}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_2}")
+  [[ -v "${network_static_ipv4nameserver_2}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_2}")
-  [[ -n "${network_static_ipv4nameserver_fallback_0}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_0}")
+  [[ -v "${network_static_ipv4nameserver_fallback_0}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_0}")
-  [[ -n "${network_static_ipv4nameserver_fallback_1}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_1}")
+  [[ -v "${network_static_ipv4nameserver_fallback_1}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_1}")
  ary_ipv6_ns+=("${network_static_ipv6nameserver_0}")
-  [[ -n "${network_static_ipv6nameserver_1}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_1}")
+  [[ -v "${network_static_ipv6nameserver_1}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_1}")
-  [[ -n "${network_static_ipv6nameserver_2}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_2}")
+  [[ -v "${network_static_ipv6nameserver_2}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_2}")
-  [[ -n "${network_static_ipv6nameserver_fallback_0}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_0}")
+  [[ -v "${network_static_ipv6nameserver_fallback_0}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_0}")
-  [[ -n "${network_static_ipv6nameserver_fallback_1}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_1}")
+  [[ -v "${network_static_ipv6nameserver_fallback_1}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_1}")
  ### Check current network connection and configure variables
  var_auto_nic=$(ip -o link show | awk -F': ' '/state UP/ && $2!="lo" {print $2; exit}')
--- a/func/4195_setup_dropbear.sh
+++ b/func/4195_setup_dropbear.sh
@@ -53,9 +53,9 @@ setup_dropbear() {
  ### Prepare dropbear authorized_keys
  declare -a ary_user=()
  ary_user+=("${user_root_ssh_pubkeys_0}")
-  [[ -n "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
+  [[ -v "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
-  [[ -n "${user_root_ssh_pubkeys_2}" ]] && ary_user+=("${user_root_ssh_pubkeys_2}")
+  [[ -v "${user_root_ssh_pubkeys_2}" ]] && ary_user+=("${user_root_ssh_pubkeys_2}")
-  [[ -n "${user_root_ssh_pubkeys_3}" ]] && ary_user+=("${user_root_ssh_pubkeys_3}")
+  [[ -v "${user_root_ssh_pubkeys_3}" ]] && ary_user+=("${user_root_ssh_pubkeys_3}")
  touch "${TARGET}/etc/dropbear/initramfs/authorized_keys" && chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
  printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
@@ -151,7 +151,6 @@ EOF
  fi
  ### Finally, deploy all changes done via 'update-grub' and 'update-initramfs'.
  do_in_target "${TARGET}" update-grub
  do_in_target "${TARGET}" update-initramfs -u -v -k all
--- a/includes/initramfs-tools/files/unlock_wrapper.sh
+++ b/includes/initramfs-tools/files/unlock_wrapper.sh
@@ -1,12 +1,12 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command
--- a/includes/initramfs-tools/files/unlock_wrapper_advanced.sh
+++ b/includes/initramfs-tools/files/unlock_wrapper_advanced.sh
@@ -0,0 +1,395 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper_advanced.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
 set -Ceuo pipefail
 ### Variable declaration
 declare -ir MAX_RETRIES=2
 # shellcheck disable=SC2155
 declare -r CURRENTDATE=$(date +"%F %T")
 # shellcheck disable=SC2155
 declare -r IFS=$(printf ' \n\t')
 declare -r GRN='\e[0;92m'
 declare -r MAG='\e[0;95m'
 declare -r RED='\e[0;91m'
 declare -r RES='\e[0m'
 declare -r NL='\n'
 #######################################
 # Generates informative shell prompt.
 # Globals:
 #   PS1
 # Arguments:
 #   None
 #######################################
 prompt_string() {
  declare -gx PS1="\
 \[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
 \[\033[1;96m\]\w\[\033[0m\]/>>\
 \$(if [[ \$? -eq 0 ]]; then \
  # Show exit status in green if zero
  echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
 else \
  # Show exit status in red otherwise
  echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
 fi)\
 |~\$ "
 }
 #######################################
 # Die helper: print and exit hard.
 # Globals:
 #   NC
 #   RED
 # Arguments:
 #   1: Message string to print.
 #######################################
 die() {
  printf "%s✘ %s%s\n" "${RED}" "$1" "${RES}" >&2
  power_off 3
 }
 #######################################
 # Unified power-off routine.
 # Arguments:
 #   1: Sleep time before power-off in seconds.
 #######################################
 power_off() {
  declare -r wait="${1:-0}"
  sleep "${wait}"
  sync
  echo 1 >| /proc/sys/kernel/sysrq
  echo o >| /proc/sysrq-trigger
  # The System powers off immediately; no further code is executed.
 }
 #######################################
 # Trap function to be called on 'ERR'.
 # Arguments:
 #   1: ${?}
 #   2: ${BASH_SOURCE[0]}
 #   3: ${LINENO}
 #   4: ${FUNCNAME[0]:-main}
 #   5: ${BASH_COMMAND}
 #######################################
 trap_on_err() {
  declare -r errcode="$1"
  declare -r errscrt="$2"
  declare -r errline="$3"
  declare -r errfunc="$4"
  declare -r errcmmd="$5"
  trap - ERR INT TERM
  stty echo
  print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
  power_off 16
 }
 #######################################
 # Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the Nuke Routine.
 # Globals:
 #   NL
 #   RED
 #   RES
 # Arguments:
 #   None
 #######################################
 trap_on_term() {
  trap - ERR INT TERM
  stty echo
  printf "%s" "${NL}"
  printf "%s✘ System caught a 'SIGINT'. System Power Off in 3 seconds. %s%s" "${RED}" "${RES}" "${NL}" >&2
  power_off 3
 }
 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal.
 # Globals:
 #   NL
 #   RED
 #   RES
 # Arguments:
 #   1: ${?}
 #   2: ${BASH_SOURCE[0]}
 #   3: ${LINENO}
 #   4: ${FUNCNAME[0]:-main}
 #   5: ${BASH_COMMAND}
 #######################################
 print_scr_err() {
  declare -r scr_err_errcode="$1"
  declare -r scr_err_errscrt="$2"
  declare -r scr_err_errline="$3"
  declare -r scr_err_errfunc="$4"
  declare -r scr_err_errcmmd="$5"
  printf "%s" "${NL}"
  printf "%s✘ System caught an 'ERROR'. System Power Off in 15 seconds. %s%s" "${RED}" "${RES}" "${NL}" >&2
  printf "%s" "${NL}"
  printf "%s✘ Error               : %s %s%s" "${RED}" "${scr_err_errcode}" "${RES}" "${NL}" >&2
  printf "%s✘ Line                : %s %s%s" "${RED}" "${scr_err_errline}" "${RES}" "${NL}" >&2
  printf "%s✘ Script              : %s %s%s" "${RED}" "${scr_err_errscrt}" "${RES}" "${NL}" >&2
  printf "%s✘ Function            : %s %s%s" "${RED}" "${scr_err_errfunc}" "${RES}" "${NL}" >&2
  printf "%s✘ Command             : %s %s%s" "${RED}" "${scr_err_errcmmd}" "${RES}" "${NL}" >&2
  printf "%s" "${NL}"
 }
 #######################################
 # Print Error Message for '0'-Exit-Code Trap on 'ERR' on Terminal.
 # Arguments:
 #   none
 #######################################
 print_scr_scc() {
  printf "%s✅ Script exited successfully. Proceeding with booting. %s%s" "${GRN}" "${RES}" "${NL}"
 }
 #######################################
 # Gather information of all LUKS Devices available on the system.
 # Arguments:
 #   None
 #######################################
 gather_luks_devices() {
  declare prev=() curr=() tries=0
  while ((tries < 10)); do
    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
    if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
      break
    fi
    prev=("${curr[@]}")
    tries=$((tries + 1))
    sleep 1
  done
  printf '%s\n' "${curr[@]}"
 }
 #######################################
 # Extract the 'nuke='-parameter from '/proc/cmdline'.
 # Globals:
 #   VAR_NUKE_HASH
 # Returns:
 #   0: if nuke= was found and extracted.
 #   1: if not found.
 #######################################
 extract_nuke_hash() {
  declare ARG="" CMDLINE=""
  ### Read /proc/cmdline into a single line safely
  read -r CMDLINE < /proc/cmdline
  for ARG in ${CMDLINE}; do
    case "${ARG}" in
      nuke=*) declare -gr VAR_NUKE_HASH="${ARG#nuke=}"; return 0 ;;
    esac
  done
  ### Not found
  return 1
 }
 #######################################
 # Read passphrase interactively.
 # Arguments:
 #  None
 #######################################
 passphrase_ask() {
  declare -g PASSPHRASE=""
  printf "\n"
  stty -echo
  printf "\e[0;95m🔐 Enter passphrase for decryption: \e[0m\n"
  read -r PASSPHRASE
  stty echo
  printf "\n"
 }
 #######################################
 # Test the entered passphrase against the dedicated Nuke Keyslot #31.
 # Arguments:
 #   $1: DEVICE
 #   $2: PASSWD
 #######################################
 passphrase_test() {
  declare -r DEVICE="$1"
  declare -r PASPHR="$2"
  printf '%s' "${PASPHR}" | cryptsetup open --batch-mode --test-passphrase --key-slot 31 "${DEVICE}" > /dev/null 2>&1
 }
 #######################################
 # Check the integrity and authenticity of this script itself.
 # Arguments:
 #   $0: Script Name
 #######################################
 verify_coresecret() {
  ### Directory of this script
  # shellcheck disable=SC2155
  declare dir="$(dirname "$(readlink -f "${0}")")"
  # shellcheck disable=SC2155
  declare script="$(basename "${0}")"
  declare algo
  for algo in sha512 sha384; do
    # shellcheck disable=SC2155
    declare hashfile="${dir}/${script}.${algo}"
    # shellcheck disable=SC2155
    declare sigfile="${hashfile}.sig"
    # shellcheck disable=SC2155
    declare cmd="${algo}sum"
    printf "\e[0;95m🔏 Verifying signature of: [%s] \e[0m\n" "${hashfile}"
    gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || {
      printf "\e[0;91m✘ Signature verification failed for: [%s] \e[0m\n" "${hashfile}" >&2
      printf "\e[0;91m✘ System Power Off in 3 seconds. \e[0m\n" >&2
      sync
      sleep 3
      set +C
      echo 1 > /proc/sys/kernel/sysrq
      echo o > /proc/sysrq-trigger
    }
    printf "\e[0;92m🔏 Verifying signature of: [%s] successful. \e[0m\n" "${hashfile}"
    printf "\e[0;95m🔢 Recomputing Hash: [%s] \e[0m\n" "${algo}"
    # shellcheck disable=SC2155
    declare computed=$($cmd "${dir}/${script}" | awk '{print $1}')
    # shellcheck disable=SC2155
    declare expected=$(cat "${hashfile}")
    if [[ ${computed} != "${expected}" ]]; then
      printf "\e[0;91m✘ Hash mismatch for: [%s] \e[0m\n" "${algo}" >&2
      printf "\e[0;91m✘ System Power Off in 3 seconds. \e[0m\n" >&2
      sync
      sleep 3
      set +C
      echo 1 > /proc/sys/kernel/sysrq
      echo o > /proc/sysrq-trigger
    fi
    printf "\e[0;92m🔢 Recomputing Hash: [%s] successful. \e[0m\n" "${algo}"
  done
  printf "\e[0;92m🔏 All signatures and hashes verified successfully. Proceeding. \e[0m\n"
 }
 ### Main Programm
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 trap 'trap_on_term' INT TERM
 printf "\e[0;91mCoresecret Connection established.\e[0m\n"
 printf "\e[0;91mStarting Time: %s\e[0m\n" "${CURRENTDATE}"
 printf "\n"
 verify_coresecret
 ### Read newline-separated output into an array
 mapfile -t DEVICES_LUKS < <(gather_luks_devices)
 mapfile -t DEVICES_NUKE < <(gather_nuke_devices)
 ### Debug output: list each element with its index
 #for idx in "${!DEVICES_LUKS[@]}"; do
 #  printf 'Luks[%d]: %s\n' "${idx}" "${DEVICES_LUKS[${idx}]}"
 #done
 ### Debug output: list each element with its index
 #for idx in "${!DEVICES_NUKE[@]}"; do
 #  printf 'Nuke[%d]: %s\n' "${idx}" "${DEVICES_NUKE[${idx}]}"
 #done
 ### # If there are no LUKS devices at all, drop to bash
 [[ -n ${DEVICES_LUKS[*]} ]] || {
  printf "\e[0;92m✘ No LUKS Devices found. Dropping to bash ... \e[0m\n"
  prompt_string
  exec /bin/bash -i
 }
 ### If there are LUKS devices but no Nuke devices, try unlocking flow
 if [[ -n ${DEVICES_LUKS[*]} ]] && [[ -z ${DEVICES_NUKE[*]} ]]; then
  ### Attempt interactive unlock with cryptroot-unlock
  if cryptroot-unlock; then
    exit 0
  else
    printf "\n"
    printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n"
    printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n"
    printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n"
    prompt_string
    exec /bin/bash -i
  fi
 elif [[ -n ${DEVICES_LUKS[*]} ]] && [[ -n ${DEVICES_NUKE[*]} ]]; then
  declare -i attempt=1
  declare NUKED=false
  declare TEST_DEV="${DEVICES_NUKE[0]}"
  while ((attempt <= MAX_RETRIES)); do
    printf "\e[0;95m🔐Attempt %s/%s: \e[0m\n" "${attempt}" "${MAX_RETRIES}"
    passphrase_ask
    declare -g PASSWD="${PASSPHRASE}"
    if passphrase_test "${TEST_DEV}" "${PASSWD}"; then
      for dev in "${DEVICES_NUKE[@]}"; do
        cryptsetup erase --batch-mode "${dev}" > /dev/null 2>&1
        printf "%s:\e[0;95m✘ LUKS Device Header malfunction. \e[0m\n" "${dev}"
      done
      declare -r NUKED=true
      unset PASSWD
      break
    else
      declare code="$?"
      case "${code}" in
        1) printf "\e[0;91m✘ No usable key slot is available. \e[0m\n" ;;
        2) printf "\e[0;91m✘ No key available with this passphrase. \e[0m\n" ;;
        3) printf "\e[0;93m✘ Out of memory. \e[0m\n" ;;
        *) printf "\e[0;91m✘ Unexpected Return Code. \e[0m\n" ;;
      esac
    fi
    attempt=$((attempt + 1))
  done
  if [[ ${NUKED} == true ]]; then
    stty echo
    sleep 3
    sync
    set +C
    echo 1 > /proc/sys/kernel/sysrq
    echo o > /proc/sysrq-trigger
  fi
  if cryptroot-unlock; then
    exit 0
  else
    printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n"
    printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n"
    printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n"
    prompt_string
    exec /bin/bash -i
  fi
 fi
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/initramfs-tools/hooks/custom-initramfs.sh
+++ b/includes/initramfs-tools/hooks/custom-initramfs.sh
@@ -21,10 +21,11 @@ esac
 . /usr/share/initramfs-tools/hook-functions
 ### Ensure directory structure in initramfs
-mkdir -p "${DESTDIR}/etc/dropbear/initramfs"
+mkdir -p "${DESTDIR}/etc/dropbear"
-mkdir -p "${DESTDIR}/usr/local/bin" "${DESTDIR}/etc/keys"
+mkdir -p "${DESTDIR}/etc/keys"
-mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+mkdir -p "${DESTDIR}/usr/local/bin"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
 ### Include Bash
 copy_exec /usr/bin/bash /usr/bin
@@ -36,6 +37,9 @@ copy_exec /usr/bin/busybox /bin
 ### Include lsblk (block device info tool)
 copy_exec /usr/bin/lsblk /usr/bin
 ### Include mkpasswd
 copy_exec /usr/bin/mkpasswd /usr/bin
 ### Include udevadm (udev management tool)
 copy_exec /usr/bin/udevadm /usr/bin
@@ -46,6 +50,9 @@ copy_exec /usr/bin/sha384sum /usr/bin
 ### Include Signature-Verifier
 copy_exec /usr/bin/gpgv /usr/bin
 ### Include Whois
 copy_exec /usr/bin/whois /usr/bin
 ### Link busybox applets for compatibility
 for dir in bin usr/bin; do
  ln -sf busybox "${DESTDIR}/${dir}/cat"
@@ -56,7 +63,7 @@ done
 install -m 0444 /etc/initramfs-tools/files/dropbear_fw.cnf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
 ### Install Dropbear configuration
-install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/initramfs/dropbear.conf"
+install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
 ### Install Dropbear Cryptroot Unlock Wrapper
 install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"
--- a/lib/0060_trap_err.sh
+++ b/lib/0060_trap_err.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Print Error Message for Trap on 'ERR' in '${ERROR_LOG}'.
 # Globals:
@@ -24,6 +26,7 @@
 #   LOG_ERROR
 #   LOG_TRACE
 #   LOG_VAR
 #   NL
 #   SECONDS
 #   VAR_ARG_SANITIZED
 #   VAR_DEBUG_TRACE
@@ -36,32 +39,32 @@
 #######################################
 print_file_err() {
  {
-    printf "❌ CISS.debian.installer Script failed. \n"
+    printf "❌ CISS.debian.installer Script failed. %s" "${NL}"
-    printf "❌ GIT Commit          : %s \n" "${VAR_GIT_HEAD}"
+    printf "❌ GIT Commit          : %s %s" "${VAR_GIT_HEAD}" "${NL}"
-    printf "❌ Version             : %s \n" "${VAR_VERSION}"
+    printf "❌ Version             : %s %s" "${VAR_VERSION}" "${NL}"
-    printf "❌ Hostsystem          : %s \n" "${VAR_SYSTEM}"
+    printf "❌ Hostsystem          : %s %s" "${VAR_SYSTEM}" "${NL}"
-    printf "❌ Error               : %s \n" "${ERRCODE}"
+    printf "❌ Error               : %s %s" "${ERRCODE}" "${NL}"
-    printf "❌ Line                : %s \n" "${ERRLINE}"
+    printf "❌ Line                : %s %s" "${ERRLINE}" "${NL}"
-    printf "❌ Script              : %s \n" "${ERRSCRT}"
+    printf "❌ Script              : %s %s" "${ERRSCRT}" "${NL}"
-    printf "❌ Function            : %s \n" "${ERRFUNC}"
+    printf "❌ Function            : %s %s" "${ERRFUNC}" "${NL}"
-    printf "❌ Command             : %s \n" "${ERRCMMD}"
+    printf "❌ Command             : %s %s" "${ERRCMMD}" "${NL}"
-    printf "❌ Script PID          : %s \n" "${$}"
+    printf "❌ Script PID          : %s %s" "${$}" "${NL}"
-    printf "❌ Script Runtime      : %s \n" "${SECONDS}"
+    printf "❌ Script Runtime      : %s %s" "${SECONDS}" "${NL}"
-    printf "❌ Arguments Counter   : %s \n" "${ARGUMENTS_COUNT}"
+    printf "❌ Arguments Counter   : %s %s" "${ARGUMENTS_COUNT}" "${NL}"
-    printf "❌ Arguments Original  : %s \n" "${ARG_STR_ORG_INPUT}"
+    printf "❌ Arguments Original  : %s %s" "${ARG_STR_ORG_INPUT}" "${NL}"
-    printf "❌ Arguments Sanitized : %s \n" "${VAR_ARG_SANITIZED}"
+    printf "❌ Arguments Sanitized : %s %s" "${VAR_ARG_SANITIZED}" "${NL}"
    if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then
-      printf "❌ Vars Dump saved at  : %s \n" "${LOG_VAR}"
+      printf "❌ Vars Dump saved at  : %s %s" "${LOG_VAR}" "${NL}"
    fi
    if "${VAR_DEBUG_TRAP}"; then
-      printf "❌ DEBUG Log saved at  : %s \n" "${LOG_DEBUG}"
+      printf "❌ DEBUG Log saved at  : %s %s" "${LOG_DEBUG}" "${NL}"
-      printf "❌                   cat %s \n" "${LOG_DEBUG}"
+      printf "❌                   cat %s %s" "${LOG_DEBUG}" "${NL}"
    fi
    if "${VAR_DEBUG_TRACE}"; then
-      printf "❌ TRACE Log saved at  : %s \n" "${LOG_TRACE}"
+      printf "❌ TRACE Log saved at  : %s %s" "${LOG_TRACE}" "${NL}"
-      printf "❌                   cat %s \n" "${LOG_TRACE}"
+      printf "❌                   cat %s %s" "${LOG_TRACE}" "${NL}"
    fi
-    printf "\n"
+    printf "%s" "${NL}"
  } >> "${LOG_ERROR}"
 }
@@ -70,6 +73,8 @@ print_file_err() {
 # Globals:
 #   ARGUMENTS_COUNT
 #   ARG_STR_ORG_INPUT
 #   C_RED
 #   C_RES
 #   ERRCMMD
 #   ERRCODE
 #   ERRFUNC
@@ -79,6 +84,7 @@ print_file_err() {
 #   LOG_ERROR
 #   LOG_TRACE
 #   LOG_VAR
 #   NL
 #   SECONDS
 #   VAR_ARG_SANITIZED
 #   VAR_DEBUG_TRACE
@@ -90,34 +96,34 @@ print_file_err() {
 #  None
 #######################################
 print_scr_err() {
-  printf "\e[91m❌ CISS.debian.installer Script failed. \e[0m\n" >&2
+  printf "%s❌ CISS.debian.installer Script failed. %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ GIT Commit          : %s \e[0m\n" "${VAR_GIT_HEAD}" >&2
+  printf "%s❌ GIT Commit          : %s %s%s" "${C_RED}" "${VAR_GIT_HEAD}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Version             : %s \e[0m\n" "${VAR_VERSION}" >&2
+  printf "%s❌ Version             : %s %s%s" "${C_RED}" "${VAR_VERSION}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Hostsystem          : %s \e[0m\n" "${VAR_SYSTEM}" >&2
+  printf "%s❌ Hostsystem          : %s %s%s" "${C_RED}" "${VAR_SYSTEM}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Error               : %s \e[0m\n" "${ERRCODE}" >&2
+  printf "%s❌ Error               : %s %s%s" "${C_RED}" "${ERRCODE}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Line                : %s \e[0m\n" "${ERRLINE}" >&2
+  printf "%s❌ Line                : %s %s%s" "${C_RED}" "${ERRLINE}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Script              : %s \e[0m\n" "${ERRSCRT}" >&2
+  printf "%s❌ Script              : %s %s%s" "${C_RED}" "${ERRSCRT}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Function            : %s \e[0m\n" "${ERRFUNC}" >&2
+  printf "%s❌ Function            : %s %s%s" "${C_RED}" "${ERRFUNC}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Command             : %s \e[0m\n" "${ERRCMMD}" >&2
+  printf "%s❌ Command             : %s %s%s" "${C_RED}" "${ERRCMMD}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Script PID          : %s \e[0m\n" "${$}" >&2
+  printf "%s❌ Script PID          : %s %s%s" "${C_RED}" "${$}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Script Runtime      : %s \e[0m\n" "${SECONDS}" >&2
+  printf "%s❌ Script Runtime      : %s %s%s" "${C_RED}" "${SECONDS}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Arguments Counter   : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
+  printf "%s❌ Arguments Counter   : %s %s%s" "${C_RED}" "${ARGUMENTS_COUNT}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Arguments Original  : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
+  printf "%s❌ Arguments Original  : %s %s%s" "${C_RED}" "${ARG_STR_ORG_INPUT}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
+  printf "%s❌ Arguments Sanitized : %s %s%s" "${C_RED}" "${VAR_ARG_SANITIZED}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌ Error Log saved at  : %s \e[0m\n" "${LOG_ERROR}" >&2
+  printf "%s❌ Error Log saved at  : %s %s%s" "${C_RED}" "${LOG_ERROR}" "${C_RES}" "${NL}" >&2
-  printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_ERROR}" >&2
+  printf "%s❌                   cat %s %s%s" "${C_RED}" "${LOG_ERROR}" "${C_RES}" "${NL}" >&2
  if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then
-    printf "\e[91m❌ Vars Dump saved at  : %s \e[0m\n" "${LOG_VAR}" >&2
+    printf "%s❌ Vars Dump saved at  : %s %s%s" "${C_RED}" "${LOG_VAR}" "${C_RES}" "${NL}" >&2
  fi
  if "${VAR_DEBUG_TRAP}"; then
-    printf "\e[91m❌ Debug Log saved at  : %s \e[0m\n" "${LOG_DEBUG}" >&2
+    printf "%s❌ Debug Log saved at  : %s %s%s" "${C_RED}" "${LOG_DEBUG}" "${C_RES}" "${NL}" >&2
-    printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_DEBUG}" >&2
+    printf "%s❌                   cat %s %s%s" "${C_RED}" "${LOG_DEBUG}" "${C_RES}" "${NL}" >&2
  fi
  if "${VAR_DEBUG_TRACE}"; then
-    printf "\e[91m❌ Debug Log saved at  : %s \e[0m\n" "${LOG_TRACE}" >&2
+    printf "%s❌ Debug Log saved at  : %s %s%s" "${C_RED}" "${LOG_TRACE}" "${C_RES}" "${NL}" >&2
-    printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_TRACE}" >&2
+    printf "%s❌                   cat %s %s%s" "${C_RED}" "${LOG_TRACE}" "${C_RES}" "${NL}" >&2
  fi
-  printf "\n"
+  printf "%s" "${NL}"
 }
 #######################################
--- a/lib/0100_arg_mismatch.sh
+++ b/lib/0100_arg_mismatch.sh
@@ -10,14 +10,19 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Wrapper for mismatched Arguments.
 # Globals:
 #   C_RED
 #   C_RES
 #   ERR_ARG_MISMATCH
 #   NL
 #   VAR_AUTO_INSTALL
 #   VAR_IN_DIALOG_WR
 # Arguments:
-#   $1: Error message to be printed.
+#   1: Message to be printed.
 #######################################
 arg_mismatch() {
  ### Call cleaner if and only if not in auto-install mode.
@@ -29,7 +34,7 @@ arg_mismatch() {
        ;;
    esac
  fi
-  printf "\e[91m❌ Error: %s\e[0m\n" "${1}" >&2
+  printf "%s❌ Error: '%s'. %s%s" "${C_RED}" "${1}" "${C_RES}" "${NL}" >&2
  read -pr $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
  exit "${ERR_ARG_MISMATCH}"
 }
--- a/lib/0101_arg_sanitizer.sh
+++ b/lib/0101_arg_sanitizer.sh
@@ -10,10 +10,12 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Argument Check Wrapper.
 # Arguments:
-#   $1: "$@" of ./setup.sh
+#   1: "$@" of ./setup.sh
 #######################################
 arg_check() {
  declare a
@@ -27,10 +29,14 @@ arg_check() {
 #######################################
 # Function to sanitize a single argument
 # Globals:
 #   C_RED
 #   C_RES
 #   ERR_UNSAFE_CHARACTER
 #   LOG_ERROR
 #   NL
 #   VAR_IN_DIALOG_WR
 # Arguments:
-#   $1: Argument to check
+#   1: Argument to be sanitized.
 #######################################
 sanitize_arg() {
  declare input="${1}"
@@ -40,18 +46,18 @@ sanitize_arg() {
    disallowed_ctrl=$(printf '%s' "${input}" | sed -n 's/[^[:cntrl:]]//gp' | sed $'s/./&\\n/g' \
      | while read -r c; do printf "%02X " "'$c"; done)
    {
-      printf "❌ Control character   : '%s'. \n" "${disallowed_ctrl}"
+      printf "❌ Control character   : '%s'. %s" "${disallowed_ctrl}" "${NL}"
-      printf "❌         in argument : '%s'. \n" "${input}"
+      printf "❌         in argument : '%s'. %s" "${input}" "${NL}"
-      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
+      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s" "${NL}"
-      printf "\n"
+      printf "%s" "${NL}"
    } >> "${LOG_ERROR}"
    case "${VAR_IN_DIALOG_WR}" in
      box   ) dialog_box_cleaner   ;;
      gauge ) dialog_gauge_cleaner ;;
    esac
-    printf "\e[91m❌ Control character   : '%s'. \e[0m\n" "${disallowed_ctrl}" >&2
+    printf "%s❌ Control character   : '%s'. %s%s" "${C_RED}" "${disallowed_ctrl}" "${C_RES}" "${NL}" >&2
-    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
+    printf "%s❌         in argument : '%s'. %s%s" "${C_RED}" "${input}" "${C_RES}" "${NL}" >&2
-    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
+    printf "%s❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
    exit "${ERR_UNSAFE_CHARACTER}"
@@ -64,18 +70,18 @@ sanitize_arg() {
  disallowed=$(printf '%s' "${input}" | tr -d "${allowed}")
  if [[ -n ${disallowed} ]]; then
    {
-      printf "❌ Invalid character   : '%s'. \n" "${disallowed//?/& }"
+      printf "❌ Invalid character   : '%s'. %s" "${disallowed//?/& }" "${NL}"
-      printf "❌         in argument : '%s'. \n" "${input}"
+      printf "❌         in argument : '%s'. %s" "${input}" "${NL}"
-      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
+      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s" "${NL}"
-      printf "\n"
+      printf "%s" "${NL}"
    } >> "${LOG_ERROR}"
    case "${VAR_IN_DIALOG_WR}" in
      box   ) dialog_box_cleaner   ;;
      gauge ) dialog_gauge_cleaner ;;
    esac
-    printf "\e[91m❌ Invalid character   : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
+    printf "%s❌ Invalid character   : '%s'. %s%s" "${C_RED}" "${disallowed//?/& }" "${C_RES}" "${NL}" >&2
-    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
+    printf "%s❌         in argument : '%s'. %s%s" "${C_RED}" "${input}" "${C_RES}" "${NL}" >&2
-    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
+    printf "%s❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
    exit "${ERR_UNSAFE_CHARACTER}"
@@ -83,5 +89,4 @@ sanitize_arg() {
    printf '%s' "${input}"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/0102_arg_parser.sh
+++ b/lib/0102_arg_parser.sh
@@ -10,16 +10,19 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Argument Parser
 # Globals:
 #   DEFAULT_LOG_LEVEL
 #   VAR_AUTO_INSTALL
 #   VAR_IN_DIALOG_WR
 #   VAR_PRIORITY
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
 # Arguments:
-#  None
+#   None
 #######################################
 arg_parser() {
  while [[ $# -gt 0 ]]; do
--- a/lib/0103_arg_priority_check.sh
+++ b/lib/0103_arg_priority_check.sh
@@ -10,14 +10,19 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Check and setup Script Priorities
 # Globals:
 #   C_GRE
 #   C_RES
 #   NL
 #   VAR_PRIORITY
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
 # Arguments:
-#  None
+#   None
 #######################################
 arg_priority_check() {
  declare var
@@ -25,14 +30,14 @@ arg_priority_check() {
  if [[ -n ${VAR_PRIORITY} ]]; then
    renice "${VAR_PRIORITY}" -p "$$"
    var=$(ps -o ni= -p $$) > /dev/null 2>&1
-    printf "\e[92m✅ New renice value: %s\e[0m\n" "${var}"
+    printf "%s✅ New renice value: '%s'. %s%s" "${C_GRE}" "${var}" "${C_RES}" "${NL}"
  fi
  # Check if ionice PRIORITY is set and adjust ionice priority.
  if [[ -n ${VAR_REIONICE_CLASS} ]]; then
    ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
    var=$(ionice -p $$) > /dev/null 2>&1
-    printf "\e[92m✅ New ionice value: %s\e[0m\n" "${var}"
+    printf "%s✅ New ionice value: '%s'. %s%s" "${C_GRE}" "${var}" "${C_RES}" "${NL}"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/0104_arg_nuke_converter.sh
+++ b/lib/0104_arg_nuke_converter.sh
@@ -0,0 +1,111 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
          declare pw_file="${2}"
          if [[ -z "${pw_file}" ]]; then
            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
            printf "%s❌ Error: --root-password-file missing password file path argument.%s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
            # shellcheck disable=SC2162
            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s' ${C_GRE}" "${C_RES}"
            exit "${ERR_MISS_PWD_P}"
          fi
          if [[ ! -f "${pw_file}" ]]; then
            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
            printf "%s❌ Error: --root-password-file password file '%s' does not exist.%s%s" "${pw_file}" >&2
            # shellcheck disable=SC2162
            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
            exit "${ERR_MISS_PWD_F}"
          fi
          declare owner
          owner=$(stat -c '%U:%G' "${pw_file}")
          if [[ "${owner}" != "root:root" ]]; then
            chown root:root "${pw_file}" || {
              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
              printf "%s❌ Error: --root-password-file failed to set owner root:root on '%s'.%s%s" "${pw_file}" >&2
              # shellcheck disable=SC2162
              read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
              exit "${ERR_OWNS_PWD_F}"
            }
          fi
          declare perms
          perms=$(stat -c '%a' "${pw_file}")
          if [[ "${perms}" -ne 400 ]]; then
            chmod 400 "${pw_file}" || {
              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
              printf "%s❌ Error: --root-password-file failed to set permissions 0400 on '%s'.%s%s" "${pw_file}" >&2
              # shellcheck disable=SC2162
              read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
              exit "${ERR_RGHT_PWD_F}"
            }
          fi
          declare plaintext_pw
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          if ! IFS= read -r plaintext_pw < "${pw_file}"; then
            :
          fi
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
          declare pw_length
          pw_length=${#plaintext_pw}
          if (( pw_length < 20 || pw_length > 64 )); then
            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
            printf "%s❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).%s%s" "${pw_length}" >&2
            # shellcheck disable=SC2162
            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
            exit "${ERR_PASS_LENGH}"
          fi
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          if [[ "${plaintext_pw}" == *\"* ]]; then
            [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
            printf "%s❌ Error: --root-password-file password MUST NOT contain double quotes (\").%s%s" >&2
            # shellcheck disable=SC2162
            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
            exit "${ERR_PASS_PLICY}"
          fi
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
          declare salt
          set +o pipefail
          while :; do
            salt=$(tr -dc 'A-Za-z0-9' </dev/random | head -c 16)
            [[ ${#salt} -eq 16 ]] && break
          done
          set -o pipefail
          declare hash_temp
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
          declare -g VAR_HASHED_PWD="${hash_temp}"
          unset hash_temp plaintext_pw
          sync
          if shred -vfzu -n 5 "${pw_file}" > /dev/null 2>&1; then
            printf "%s✅ Password file '%s': shred -vfzu -n 5 >> done. %s%s" "${pw_file}" > /dev/null 2>&1
          else
            printf "%s❌ Password file '%s': shred -vfzu -n 5 >> NOT successful. %s%s" "${pw_file}" > /dev/null 2>&1
          fi
          sync
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/meta_loader_early.sh
+++ b/meta_loader_early.sh
@@ -0,0 +1,14 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 . ./var/colors.var.sh
 . ./var/errors.var.sh
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/colors.var.sh
+++ b/var/colors.var.sh
@@ -19,5 +19,6 @@ declare -grx C_MAG='\e[95m' # Super gay magenta.
 declare -grx C_CYA='\e[96m' # Lovely cyan.
 declare -grx C_WHI='\e[97m' # Fantastic color mix.
 declare -grx C_RES='\e[0m'  # Forget everything.
 declare -grx NL='\n'        # Print a crystal clear new line.
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh