msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m24s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-29 19:27:00 +02:00
parent ea2454dd66
commit b1be218ea0
5 changed files with 76 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

241
func/3220_partition_encryption.sh
View File

@@ -21,7 +21,6 @@ guard_sourcing
# HMP_EPHEMERAL_DEV
# HMP_EPHEMERAL_ENCLABEL
# HMP_MOUNTPATH_ENCRYPTIONLABEL
# RECIPE_STRING
# VAR_CRYPT_ROOT
# VAR_RECIPE_STRING
# VAR_SETUP_PART
@@ -62,201 +61,95 @@ partition_encryption() {
var_filesystem_label=$(yq_val e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label" "${VAR_SETUP_PART}")
var_mount_path=$(yq_val e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path" "${VAR_SETUP_PART}")
if [[ "${var_encryption_enable,,}" == "true" ]]; then
if [[ "${var_encryption_enable,,}" != "true" ]]; then
continue
fi
if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then
declare -a ary_luks_opts=(
--key-file="${DIR_CNF}/password.txt"
--type luks2
--cipher "${var_encryption_cipher}"
--hash "${var_encryption_hash}"
--iter-time "${var_encryption_iter}"
--key-size "${var_encryption_key}"
--label "${var_encryption_label}"
--luks2-metadata-size "${var_encryption_meta}"
--pbkdf "${var_encryption_pbkdf}"
--"${var_encryption_rng}"
--batch-mode --verbose
)
if [[ "${var_mount_path}" == "SWAP" ]]; then
[[ "${var_encryption_integrity,,}" == "true" ]] && ary_luks_opts+=(--integrity hmac-sha512)
if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then
case "${var_mount_path}" in
SWAP|/tmp)
mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M
do_log "info" "false" "Ephemeral 'SWAP' prepared on: '/dev/${var_dev}${var_part}'."
do_log "info" "false" "Ephemeral: '${var_mount_path}' prepared on: '/dev/${var_dev}${var_part}'."
HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_DEV] : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
do_log "info" "false" "Stored in HashMap [HMP_EPHEMERAL_DEV] : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
do_log "info" "false" "Stored in HashMap [HMP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
continue
;;
elif [[ "${var_mount_path}" == "/tmp" ]]; then
*)
do_log "error" "false" "Invalid mount path: '${var_mount_path}' for partition: '/dev/${var_dev}${var_part}'."
continue
;;
mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M
do_log "info" "false" "Ephemeral '/tmp' prepared on: '/dev/${var_dev}${var_part}'."
esac
HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_DEV] : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
fi
else
cryptsetup luksFormat "${ary_luks_opts[@]}" "/dev/${var_dev}${var_part}"
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'MOUNT_PATH': '${var_mount_path}'."
if [[ "${var_encryption_integrity,,}" == "true" ]]; then
fi
elif [[ "${var_encryption_ephemeral,,}" == "false" ]]; then
if [[ "${var_encryption_integrity,,}" == "true" ]]; then
if [[ "${var_encryption_nuke,,}" == "true" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--integrity hmac-sha512 \
--batch-mode --verbose
cryptsetup luksAddKey "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--new-keyfile="${DIR_CNF}/password_nuke.txt" \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
elif [[ "${var_encryption_nuke,,}" == "false" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--integrity hmac-sha512 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'NUKE_ENABLE': '${var_encryption_nuke}'."
fi
elif [[ "${var_encryption_integrity,,}" == "false" ]]; then
if [[ "${var_encryption_nuke,,}" == "true" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--batch-mode --verbose
cryptsetup luksAddKey "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--new-keyfile="${DIR_CNF}/password_nuke.txt" \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '/${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
elif [[ ${var_encryption_nuke,,} == "false" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '/${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'NUKE_ENABLE': '${var_encryption_nuke}'."
fi
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'INTEGRITY_ENABLE': '${var_encryption_integrity}'."
fi
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'EPHEMERAL_ENABLE': '${var_encryption_ephemeral}'."
fi
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
else
do_log "error" "true" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'ENCRYPTION_ENABLE': '${var_encryption_enable}'."
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted."
fi
if [[ "${var_encryption_nuke,,}" == "true" ]]; then
cryptsetup luksAddKey \
--key-file="${DIR_CNF}/password.txt" \
--new-keyfile="${DIR_CNF}/password_nuke.txt" \
--new-key-slot 31 \
--batch-mode --verbose \
"/dev/${var_dev}${var_part}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' 'Nuke-Key' added."
fi
cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak" "/dev/${var_dev}${var_part}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
### Opening encrypted partition.
if [[ "${var_encryption_enable,,}" == "true" && ${var_encryption_ephemeral,,} == "false" ]]; then
cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
"${var_encryption_label}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
"${var_encryption_label}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
### Store UUID of the encrypted partition
# shellcheck disable=SC2155
declare var_uuid=$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")
# shellcheck disable=SC2155
[[ "${var_mount_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
### Store UUID of the encrypted partition
# shellcheck disable=SC2155
declare var_uuid=$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")
if [[ "${var_mount_path}" = "/" ]]; then
# shellcheck disable=SC2155
declare -grx VAR_CRYPT_ROOT="$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")"
fi
HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]="${var_uuid}"
HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Saved in HashMap [HMP_ENCRYPTIONLABEL_UUID] : '${var_encryption_label}' -> '${HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]}'"
do_log "info" "false" "Saved in HashMap [HMP_MOUNTPATH_ENCRYPTIONLABEL] : '${var_mount_path}' -> '${HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]}'"
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Opening encrypted partition - Invalid value for 'ENCRYPTION_ENABLE': '${var_encryption_enable}' and 'EPHEMERAL_ENABLE': '${var_encryption_ephemeral}'."
fi
HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]="${var_uuid}"
HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Saved in HashMap [HMP_ENCRYPTIONLABEL_UUID] : '${var_encryption_label}' -> '${HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]}'"
do_log "info" "false" "Saved in HashMap [HMP_MOUNTPATH_ENCRYPTIONLABEL] : '${var_mount_path}' -> '${HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]}'"
done