V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-25 17:28:11 +02:00
parent 5496977d6a
commit 804788b38b
6 changed files with 312 additions and 348 deletions
--- a/source/func/3.5.1.functions_installation_partition_encryption.sh
+++ b/source/func/3.5.1.functions_installation_partition_encryption.sh
@@ -1,286 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
-# SPDX-PackageName: CISS.2025.hardened.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-###########################################################################################
-# 3.5.1. Functions - installation - partition encryption                                  #
-###########################################################################################
-
-###########################################################################################
-# Function to encrypt the respective partition on each device according to the recipe string chosen.
-# Globals:
-#   DIR_BAK
-#   DIR_CNF
-#   MAP_EPHEMERAL_DEV
-#   MAP_EPHEMERAL_ENCLABEL
-#   MAP_PATH_CRYPT
-#   MAP_UUID_CRYPT
-#   MODULE_ERR
-#   MODULE_TXT
-#   RECIPE_DEV_PARTITIONS
-#   RECIPE_STRING
-# Arguments:
-#   None
-###########################################################################################
-3_5_1_functions_installation_partition_encryption() {
-  declare -g -x MODULE_ERR="3_5_1_functions_installation_partition_encryption"
-  declare -g -x MODULE_TXT="Encrypting each partition on each device"
-  do_show_header "${MODULE_TXT}"
-
-  ### Reminder ###
-  # Array: "${!RECIPE_DEV_PARTITIONS[@]}"
-  # ${DEVICE}: "${RECIPE_DEV_PARTITIONS[${DEVICE}]}"
-
-  # Declare local variables
-  declare DEV
-  declare NUM_PARTITIONS
-  declare PARTITION
-
-  # Iterate through each device
-  for DEV in "${!RECIPE_DEV_PARTITIONS[@]}"; do
-    NUM_PARTITIONS=${RECIPE_DEV_PARTITIONS[${DEV}]}
-
-    # Iterate through each partition of the current device
-    for PARTITION in $(seq 1 "${NUM_PARTITIONS}"); do
-
-      # Generate vars for the current partition
-      declare ENCRYPTION_ENABLE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_enable"
-      declare ENCRYPTION_EPHEMERAL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_ephemeral"
-      declare ENCRYPTION_INTEGRITY_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_integrity"
-      declare ENCRYPTION_NUKE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_nuke"
-      declare ENCRYPTION_CIPHER_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_cipher"
-      declare ENCRYPTION_HASH_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_hash"
-      declare ENCRYPTION_ITERTIME_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_itertime"
-      declare ENCRYPTION_KEY_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_key"
-      declare ENCRYPTION_LABEL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_label"
-      declare ENCRYPTION_METADATASIZE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_metadatasize"
-      declare ENCRYPTION_PBKDF_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_pbkdf"
-      declare ENCRYPTION_RNG_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_rng"
-      declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_filesystem_label"
-      declare MOUNT_PATH_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_mount_path"
-
-      # Initialize variables
-      declare ENCRYPTION_ENABLE=${!ENCRYPTION_ENABLE_VAR}
-      declare EPHEMERAL_ENABLE=${!ENCRYPTION_EPHEMERAL_VAR}
-      declare INTEGRITY_ENABLE=${!ENCRYPTION_INTEGRITY_VAR}
-      declare ENCRYPTION_CIPHER=${!ENCRYPTION_CIPHER_VAR}
-      declare ENCRYPTION_HASH=${!ENCRYPTION_HASH_VAR}
-      declare ENCRYPTION_ITERTIME=${!ENCRYPTION_ITERTIME_VAR}
-      declare ENCRYPTION_KEY=${!ENCRYPTION_KEY_VAR}
-      declare ENCRYPTION_LABEL=${!ENCRYPTION_LABEL_VAR}
-      declare ENCRYPTION_METADATASIZE=${!ENCRYPTION_METADATASIZE_VAR}
-      declare ENCRYPTION_PBKDF=${!ENCRYPTION_PBKDF_VAR}
-      declare ENCRYPTION_RNG=${!ENCRYPTION_RNG_VAR}
-      declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
-      declare MOUNT_PATH=${!MOUNT_PATH_VAR}
-      declare NUKE_ENABLE=${!ENCRYPTION_NUKE_VAR}
-
-      # Encrypting partition
-      if [[ ${ENCRYPTION_ENABLE,,} == "true" ]]; then
-
-        if [[ ${EPHEMERAL_ENABLE,,} == "true" ]]; then
-
-          if [[ ${MOUNT_PATH} == "SWAP" ]]; then
-
-            mkfs.ext4 -L "${FILESYSTEM_LABEL}" /dev/"${DEV}""${PARTITION}" 1M
-            do_log "info" "false" "Ephemeral SWAP prepared on: '/dev/${DEV}${PARTITION}'."
-            MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
-            MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
-            do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_DEV: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]}'"
-            do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_ENCLABEL: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}'"
-
-          elif [[ ${MOUNT_PATH} == "/tmp" ]]; then
-
-            mkfs.ext4 -L "${FILESYSTEM_LABEL}" /dev/"${DEV}""${PARTITION}" 1M
-            do_log "info" "false" "Ephemeral /tmp prepared on: '/dev/${DEV}${PARTITION}'."
-            MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
-            MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
-            do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_DEV: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]}'"
-            do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_ENCLABEL: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}'"
-
-          else
-
-            do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'MOUNT_PATH': '${MOUNT_PATH}'."
-
-          fi
-
-        elif [[ ${EPHEMERAL_ENABLE,,} == "false" ]]; then
-
-          if [[ ${INTEGRITY_ENABLE,,} == "true" ]]; then
-
-            if [[ ${NUKE_ENABLE,,} == "true" ]]; then
-
-              cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
-                --key-file="${DIR_CNF}"password.txt \
-                --type luks2 \
-                --cipher "${ENCRYPTION_CIPHER}" \
-                --hash "${ENCRYPTION_HASH}" \
-                --iter-time "${ENCRYPTION_ITERTIME}" \
-                --key-size "${ENCRYPTION_KEY}" \
-                --label "${ENCRYPTION_LABEL}" \
-                --luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
-                --pbkdf "${ENCRYPTION_PBKDF}" \
-                --"${ENCRYPTION_RNG}" \
-                --integrity hmac-sha512 \
-                --batch-mode --verbose
-
-              cryptsetup luksAddKey /dev/"${DEV}""${PARTITION}" \
-                --key-file="${DIR_CNF}"password.txt \
-                --new-keyfile="${DIR_CNF}"password_nuke.txt \
-                --new-key-slot 31 \
-                --batch-mode --verbose
-
-              do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' dm-integrity encrypted and 'Nuke-Key' added."
-
-              cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
-                --header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
-
-              do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
-
-            elif [[ ${NUKE_ENABLE,,} == "false" ]]; then
-
-              cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
-                --key-file="${DIR_CNF}"password.txt \
-                --type luks2 \
-                --cipher "${ENCRYPTION_CIPHER}" \
-                --hash "${ENCRYPTION_HASH}" \
-                --iter-time "${ENCRYPTION_ITERTIME}" \
-                --key-size "${ENCRYPTION_KEY}" \
-                --label "${ENCRYPTION_LABEL}" \
-                --luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
-                --pbkdf "${ENCRYPTION_PBKDF}" \
-                --"${ENCRYPTION_RNG}" \
-                --integrity hmac-sha512 \
-                --batch-mode --verbose
-
-              do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' dm-integrity encrypted."
-
-              cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
-                --header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
-
-              do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
-
-            else
-
-              do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'NUKE_ENABLE': '${NUKE_ENABLE}'."
-
-            fi
-
-          elif [[ ${INTEGRITY_ENABLE,,} == "false" ]]; then
-
-            if [[ ${NUKE_ENABLE,,} == "true" ]]; then
-
-              cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
-                --key-file="${DIR_CNF}"password.txt \
-                --type luks2 \
-                --cipher "${ENCRYPTION_CIPHER}" \
-                --hash "${ENCRYPTION_HASH}" \
-                --iter-time "${ENCRYPTION_ITERTIME}" \
-                --key-size "${ENCRYPTION_KEY}" \
-                --label "${ENCRYPTION_LABEL}" \
-                --luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
-                --pbkdf "${ENCRYPTION_PBKDF}" \
-                --"${ENCRYPTION_RNG}" \
-                --batch-mode --verbose
-
-              cryptsetup luksAddKey /dev/"${DEV}""${PARTITION}" \
-                --key-file="${DIR_CNF}"password.txt \
-                --new-keyfile="${DIR_CNF}"password_nuke.txt \
-                --new-key-slot 31 \
-                --batch-mode --verbose
-
-              do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' encrypted and 'Nuke-Key' added."
-
-              cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
-                --header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
-
-              do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
-
-            elif [[ ${NUKE_ENABLE,,} == "false" ]]; then
-
-              cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
-                --key-file="${DIR_CNF}"password.txt \
-                --type luks2 \
-                --cipher "${ENCRYPTION_CIPHER}" \
-                --hash "${ENCRYPTION_HASH}" \
-                --iter-time "${ENCRYPTION_ITERTIME}" \
-                --key-size "${ENCRYPTION_KEY}" \
-                --label "${ENCRYPTION_LABEL}" \
-                --luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
-                --pbkdf "${ENCRYPTION_PBKDF}" \
-                --"${ENCRYPTION_RNG}" \
-                --batch-mode --verbose
-
-              do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' encrypted."
-
-              cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
-                --header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
-
-              do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
-
-            else
-
-              do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'NUKE_ENABLE': '${NUKE_ENABLE}'."
-
-            fi
-
-          else
-
-            do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'INTEGRITY_ENABLE': '${INTEGRITY_ENABLE}'."
-
-          fi
-
-        else
-
-            do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'EPHEMERAL_ENABLE': '${EPHEMERAL_ENABLE}'."
-
-        fi
-
-      else
-
-        do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'ENCRYPTION_ENABLE': '${ENCRYPTION_ENABLE}'."
-
-      fi
-
-      # Opening encrypted partition
-      if [[ ${ENCRYPTION_ENABLE,,} == "true" && ${EPHEMERAL_ENABLE,,} == "false" ]]; then
-
-        cryptsetup luksOpen /dev/"${DEV}""${PARTITION}" \
-          --key-file="${DIR_CNF}"password.txt \
-          "${ENCRYPTION_LABEL}"
-        do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' opened as '/dev/mapper/${ENCRYPTION_LABEL}'."
-
-        # Save UUID of the encrypted partition
-        declare UUID
-        UUID=$(blkid -s UUID -o value /dev/mapper/"${ENCRYPTION_LABEL}")
-        if [[ "${MOUNT_PATH}" = "/" ]]; then
-          CRYPT_ROOT="$(blkid -s UUID -o value "/dev/mapper/${ENCRYPTION_LABEL}")"
-          declare -g -r CRYPT_ROOT
-        fi
-
-        MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
-        MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
-        do_log "info" "false" "Saved in HashMap MAP_UUID_CRYPT: '${ENCRYPTION_LABEL}' -> '${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]}'"
-        do_log "info" "false" "Saved in HashMap MAP_PATH_CRYPT: '${MOUNT_PATH}' -> '${MAP_PATH_CRYPT["${MOUNT_PATH}"]}'"
-
-      else
-
-        do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Opening encrypted partition - Invalid value for 'ENCRYPTION_ENABLE': '${ENCRYPTION_ENABLE}' and 'EPHEMERAL_ENABLE': '${EPHEMERAL_ENABLE}'."
-
-      fi
-
-    done
-
-  done
-
-  do_show_footer
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh: