V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-20 19:43:09 +02:00
parent 55a0cb6884
commit e1f09ca170
27 changed files with 1100 additions and 909 deletions
--- a/func/1250_yaml_parser.sh
+++ b/func/1250_yaml_parser.sh
@@ -44,8 +44,9 @@ yaml_parser() {
    esac
  done < "${VAR_PRESEED}"

-  sed -i '/^software_[0-9]\+=/d' "${VAR_PRESEED}"
+  sed -i '/^grub_parameter_[0-9]\+=/d' "${VAR_PRESEED}"
  sed -i '/^ntp_server_[0-9]\+=/d' "${VAR_PRESEED}"
+  sed -i '/^software_[0-9]\+=/d' "${VAR_PRESEED}"

  ### Substitute all key= by key=""
  sed -i -E 's/^(.*)=\s*$/\1=""/' "${VAR_PRESEED}"
--- a/func/1251_yaml_reader.sh
+++ b/func/1251_yaml_reader.sh
@@ -47,10 +47,10 @@ yaml_reader() {
    fi
  done < "${var_if}"

-  if [[ -n ${VAR_RECIPE_STRING} ]]; then
-    do_log "info" "false" "Found active recipe string: '${VAR_RECIPE_STRING}'."
+  if [[ -n "${VAR_RECIPE_STRING}" ]]; then
+    do_log "info" "true" "Found active recipe string: '${VAR_RECIPE_STRING}'."
  else
-    do_log "fatal" "false" "Found NO active recipe string: '${VAR_RECIPE_STRING}'." >&2
+    do_log "fatal" "true" "Found NO active recipe string: '${VAR_RECIPE_STRING}'." >&2
    exit "${ERR_NO_VALID_RECIPE}"
  fi

@@ -79,9 +79,9 @@ END { print max }
  declare -gx VAR_RECIPE_DEV_COUNTER="${var_highest_dev}"

  if [[ -n ${VAR_RECIPE_DEV_COUNTER} ]]; then
-    do_log "info" "false" "Found highest recipe device: '${VAR_RECIPE_DEV_COUNTER}'."
+    do_log "info" "true" "Found highest recipe device: '${VAR_RECIPE_DEV_COUNTER}'."
  else
-    do_log "fatal" "false" "Found NO highest recipe device: '${VAR_RECIPE_DEV_COUNTER}'." >&2
+    do_log "fatal" "true" "Found NO highest recipe device: '${VAR_RECIPE_DEV_COUNTER}'." >&2
    exit "${ERR_NO_VALID_RECIPE}"
  fi

@@ -115,6 +115,10 @@ END { print max }
    do_log "info" "false" "Highest number of partitions for ${var_device}: ${HMP_RECIPE_DEV_PARTITIONS[${var_device}]}"
  done

+  ### Extract the chosen Nuke mechanism
+  declare recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
+  declare -gx VAR_NUKE="${!recipe_nuke_var}"
+
  ### Extract chosen partition table
  declare recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table"
  declare -gx VAR_RECIPE_TABLE="${!recipe_table_var}"
--- a/func/3220_partition_encryption.sh
+++ b/func/3220_partition_encryption.sh
@@ -34,10 +34,10 @@ partition_encryption() {
  ### Declare Arrays and Variables.
  declare -Agx HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL HMP_EPHEMERAL_FS_LABEL HMP_PATH_LUKSUUID HMP_PATH_ENCLABEL
  declare var_dev var_part \
-    var_encryption_enable var_encryption_ephemeral var_encryption_integrity var_encryption_nuke var_encryption_cipher \
+    var_encryption_enable var_encryption_ephemeral var_encryption_integrity var_encryption_cipher \
    var_encryption_hash var_encryption_iter var_encryption_key var_encryption_label var_encryption_meta \
    var_encryption_pbkdf var_encryption_rng var_filesystem_label var_mount_path var_uuid
-  declare -a ary_devs ary_parts
+  declare -a ary_devs=() ary_parts=() ary_luks_opts=()

  ### Iterate over all devices in the recipe.
  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
@@ -51,7 +51,6 @@ partition_encryption() {
      var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable"       "${VAR_SETUP_PART}")
      var_encryption_ephemeral=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.ephemeral" "${VAR_SETUP_PART}")
      var_encryption_integrity=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.integrity" "${VAR_SETUP_PART}")
-      var_encryption_nuke=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.nuke"           "${VAR_SETUP_PART}")
      var_encryption_cipher=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.cipher"       "${VAR_SETUP_PART}")
      var_encryption_hash=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.hash"           "${VAR_SETUP_PART}")
      var_encryption_iter=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.itertime"       "${VAR_SETUP_PART}")
@@ -67,21 +66,26 @@ partition_encryption() {
        continue
      fi

-      declare -a ary_luks_opts=(
-        --key-file="${DIR_CNF}/password.txt"
-        --type luks2
-        --cipher "${var_encryption_cipher}"
-        --hash "${var_encryption_hash}"
-        --iter-time "${var_encryption_iter}"
-        --key-size "${var_encryption_key}"
-        --label "${var_encryption_label}"
-        --luks2-metadata-size "${var_encryption_meta}"
-        --pbkdf "${var_encryption_pbkdf}"
-        --"${var_encryption_rng}"
-        --batch-mode --verbose
+      if [[ "${var_mount_path,,}" == "/boot" ]]; then
+        ary_luks_opts=( "--key-file=${DIR_CNF}/password_luks_boot.txt" )
+      else
+        ary_luks_opts=( "--key-file=${DIR_CNF}/password_luks_common.txt" )
+      fi
+
+      ary_luks_opts+=(
+        "--type luks2"
+        "--cipher ${var_encryption_cipher}"
+        "--hash ${var_encryption_hash}"
+        "--iter-time ${var_encryption_iter}"
+        "--key-size ${var_encryption_key}"
+        "--label ${var_encryption_label}"
+        "--luks2-metadata-size ${var_encryption_meta}"
+        "--pbkdf ${var_encryption_pbkdf}"
+        "--${var_encryption_rng}"
+        "--batch-mode --verbose"
      )

-      [[ "${var_encryption_integrity,,}" == "true" ]] && ary_luks_opts+=(--integrity hmac-sha512)
+      [[ "${var_encryption_integrity,,}" == "true" ]] && ary_luks_opts+=( "--integrity hmac-sha512" )

      if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then

@@ -113,22 +117,28 @@ partition_encryption() {

      if [[ "${var_encryption_integrity,,}" == "true" ]]; then

-        do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
+        do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."

      else

-        do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted."
+        do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' encrypted."

      fi

      cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak" "/dev/${var_dev}${var_part}"
-      do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
+      do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."

      ### Opening encrypted container.
-      cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
-        --key-file="${DIR_CNF}/password.txt" \
-        "${var_encryption_label}"
-      do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
+      if [[ "${var_mount_path,,}" == "/boot" ]]; then
+        cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
+          --key-file="${DIR_CNF}/password_luks_boot.txt" \
+          "${var_encryption_label}"
+      else
+        cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
+          --key-file="${DIR_CNF}/password_luks_common.txt" \
+          "${var_encryption_label}"
+      fi
+      do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."

      ### Store UUID of the LUKS container.
      var_uuid=$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")
--- a/func/4060_generate_crypttab.sh
+++ b/func/4060_generate_crypttab.sh
@@ -26,8 +26,8 @@ guard_sourcing
 #######################################
 write_crypttab() {
  declare _label="$1" _device="$2" _key_file="$3" _opts="$4"
-  printf "%s    %s    %s    %s\n" "${_label}" "${_device}" "${_key_file}" "${_opts}" >> "${TARGET}/etc/crypttab"
-  do_log "info" "true" "crypttab entry generated: '${_label}    ${_device}    ${_key_file}    ${_opts}'."
+  printf "%s %s %s %s\n" "${_label}" "${_device}" "${_key_file}" "${_opts}" >> "${TARGET}/etc/crypttab"
+  do_log "info" "true" "crypttab entry generated: '${_label} ${_device} ${_key_file} ${_opts}'."
  return 0
 }

@@ -39,9 +39,10 @@ write_crypttab() {
 #   HMP_PATH_ENCLABEL
 #   HMP_PATH_LUKSUUID
 #   TARGET
+#   VAR_NUKE
 #   dropbear_boot
 # Arguments:
-#   None
+#  None
 # Returns:
 #   0: on success
 #######################################
@@ -49,6 +50,7 @@ generate_crypttab() {
  declare var_key var_encryption_label var_luks_uuid

  ### Generate '${TARGET}/etc/crypttab' header.
+  install -d -m 0755 "${TARGET}/etc"
  : >| "${TARGET}/etc/crypttab"
  chmod 0600 "${TARGET}/etc/crypttab"

@@ -79,6 +81,13 @@ EOF

    if [[ "${dropbear_boot,,}" == "true" ]]; then

+      if [[ "${VAR_NUKE,,}" == "true" && "${var_key,,}" == "/" ]]; then
+
+        write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
+        continue
+
+      fi
+
      write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"

    else
@@ -98,14 +107,13 @@ EOF
    case "${var_key}" in
      SWAP)
        write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_ephemeral_fs_label}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096"
-        continue
        ;;
      /tmp)
        write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_ephemeral_fs_label}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4"
-        continue
        ;;
      *)
        do_log "error" "false" "Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'."
+        continue
        ;;
    esac

--- a/func/4130_setup_network.sh
+++ b/func/4130_setup_network.sh
@@ -58,16 +58,16 @@ setup_network() {
  declare -a ary_ipv4_ns ary_ipv6_ns

  ary_ipv4_ns+=("${network_static_ipv4nameserver_0}")
-  [[ -v "${network_static_ipv4nameserver_1}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_1}")
-  [[ -v "${network_static_ipv4nameserver_2}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_2}")
-  [[ -v "${network_static_ipv4nameserver_fallback_0}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_0}")
-  [[ -v "${network_static_ipv4nameserver_fallback_1}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_1}")
+  [[ -v network_static_ipv4nameserver_1 ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_1}")
+  [[ -v network_static_ipv4nameserver_2 ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_2}")
+  [[ -v network_static_ipv4nameserver_fallback_0 ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_0}")
+  [[ -v network_static_ipv4nameserver_fallback_1 ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_1}")

  ary_ipv6_ns+=("${network_static_ipv6nameserver_0}")
-  [[ -v "${network_static_ipv6nameserver_1}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_1}")
-  [[ -v "${network_static_ipv6nameserver_2}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_2}")
-  [[ -v "${network_static_ipv6nameserver_fallback_0}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_0}")
-  [[ -v "${network_static_ipv6nameserver_fallback_1}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_1}")
+  [[ -v network_static_ipv6nameserver_1 ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_1}")
+  [[ -v network_static_ipv6nameserver_2 ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_2}")
+  [[ -v network_static_ipv6nameserver_fallback_0 ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_0}")
+  [[ -v network_static_ipv6nameserver_fallback_1 ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_1}")

  ### Check current network connection and configure variables
  var_auto_nic=$(ip -o link show | awk -F': ' '/state UP/ && $2!="lo" {print $2; exit}')
--- a/func/4150_setup_grub.sh
+++ b/func/4150_setup_grub.sh
@@ -118,7 +118,7 @@ GRUB_BACKGROUND="/etc/default/grub.d/${var_background}"
 # The resolution used on graphical terminal
 # note that you can use only modes which your graphic card supports via VBE
 # you can see them in real GRUB with the command 'vbeinfo'
-GRUB_GFXMODE=1920x1080,1280x1024,800x600
+GRUB_GFXMODE=1920x1080,1280x1024,1024x768,800x600
 GRUB_GFXPAYLOAD_LINUX=keep

 EOF
@@ -166,6 +166,11 @@ EOF

  [[ "${var_update_grub_required}" == "true" ]] && do_in_target "${TARGET}" update-grub

+  ### Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them.
+  chown root:root "${TARGET}/boot/grub/grub.cfg"
+  chmod 0600 "${TARGET}/boot/grub/grub.cfg"
+  chmod -R 0700 "${TARGET}/etc/grub.d"
+
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/4155_setup_grub_password.sh
+++ b/func/4155_setup_grub_password.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Append GRUB superuser block to 40_custom.
+# Arguments:
+#   1: Username
+#   2: Password
+#######################################
+
+#######################################
+# Append GRUB superuser block to '/etc/grub.d/40_custom'.
+# Globals:
+#   DIR_CNF
+#   ERR_READ_GRUB_FILE
+#   TARGET
+#   VAR_DEBUG_TRACE
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_READ_GRUB_FILE
+#######################################
+setup_grub_password() {
+  declare var_username="superadmin"
+  declare var_password=""
+  declare var_password_file="${DIR_CNF}/password_grub.txt"
+  declare var_of="${TARGET}/etc/grub.d/40_custom"
+  declare var_grub_entry
+
+  ### No tracing for security reasons
+  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  if [[ ! -f "${var_password_file}" ]] || ! IFS= read -r var_password < "${var_password_file}"; then
+    return "${ERR_READ_GRUB_FILE}"
+  fi
+  ### Turn on tracing again
+  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+
+  var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
+
+  ### Append if not already present
+  if ! grep -q "set superusers=" "${var_of}"; then
+    {
+      echo ""
+      echo "### Added by CISS.debian.installer ###"
+      echo "$var_grub_entry"
+      echo "### End by CISS.debian.installer ###"
+    } >> "$var_of"
+  fi
+
+  do_in_target "${TARGET}" update-grub
+
+  return 0
+}
+
+#######################################
+# Generate PBKDF2 password hash for GRUB.
+# Arguments:
+#   1: Username (default to superadmin).
+#   2: User password.
+# Returns:
+#   0: on success
+#######################################
+generate_grub_password_pbkdf2() {
+  declare var_user="${1:-superadmin}"
+  declare var_pass="${2:?error: password required}"
+
+  expect <<EOF
+    log_user 0
+    spawn grub-mkpasswd-pbkdf2
+    expect "Enter password:"
+    send "$var_pass\r"
+    expect "Reenter password:"
+    send "$var_pass\r"
+    expect {
+      -re {PBKDF2 hash of your password is (\S+)} {
+        puts "set superusers=\"$var_user\"\npassword_pbkdf2 $var_user \$expect_out(1,string)"
+      }
+    }
+EOF
+
+ return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/4160_grub_bootparameter.sh
+++ b/func/4160_grub_bootparameter.sh
@@ -27,7 +27,7 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_grub_bootparameter() {
-  declare var_param
+  declare var_nuke_string="" var_param=""

  grub_extract_current_string

@@ -47,6 +47,11 @@ setup_grub_bootparameter() {

  done

+  if [[ "${VAR_NUKE}" == "true" ]]; then
+    var_nuke_string="nuke=${VAR_NUKE_HASH}"
+    VAR_GRUB_CMDLINE_LINUX+=" ${var_nuke_string}"
+  fi
+
  grub_finalize_string

  do_in_target "${TARGET}" update-grub
--- a/func/4165_kernel_modules.sh
+++ b/func/4165_kernel_modules.sh
@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-### Options in "GRUB_CMDLINE_LINUX" are always effective.
-### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
-
 guard_sourcing

 #######################################
@@ -28,6 +25,13 @@ setup_kernel_modules() {
  ### Entropy collection improvements
  mkdir -p "${TARGET}/usr/lib/modules-load.d"
  cat << EOF >| "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
+## The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring
+## minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in
+## physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware
+## features like TPMs or Intel's RDRAND—which may not be available or trusted—jitterentropy_rng works across all platforms,
+## including virtual machines and air-gapped systems. It is compliant with NIST SP 800-90B and BSI TR-02102-4, ensuring secure
+## entropy even during early boot stages, such as in initramfs or before full userland is available. It is the most secure,
+## standards-compliant, and universally applicable entropy source for hardened Linux environments.
 ## https://www.whonix.org/wiki/Dev/Entropy
 ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
 ## https://forums.whonix.org/t/jitterentropy-rngd/7204
@@ -37,4 +41,21 @@ EOF
  do_log "info" "true" "Installed: '/usr/lib/modules-load.d/30_security-misc.conf'."
  return 0
 }
+
+#######################################
+# Blacklist some kind of potential hazardous modules via '/etc/modprobe.d/0000_ciss_debian_installer.conf'.
+# Globals:
+#   TARGET
+#   VAR_SETUP_PATH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+setup_modprobe() {
+ install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/modprobe.d/0000_ciss_debian_installer.cnf" \
+    "${TARGET}/etc/modprobe.d/0000_ciss_debian_installer.conf"
+  do_log "info" "true" "Installed: '/etc/modprobe.d/0000_ciss_debian_installer.conf'."
+  return 0
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/4166_kernel_sysctl.sh
+++ b/func/4166_kernel_sysctl.sh
@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-### Options in "GRUB_CMDLINE_LINUX" are always effective.
-### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
-
 guard_sourcing

 #######################################
--- a/func/4195_setup_dropbear.sh
+++ b/func/4195_setup_dropbear.sh
@@ -53,9 +53,9 @@ setup_dropbear() {
  ### Prepare dropbear authorized_keys
  declare -a ary_user=()
  ary_user+=("${user_root_ssh_pubkeys_0}")
-  [[ -v "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
-  [[ -v "${user_root_ssh_pubkeys_2}" ]] && ary_user+=("${user_root_ssh_pubkeys_2}")
-  [[ -v "${user_root_ssh_pubkeys_3}" ]] && ary_user+=("${user_root_ssh_pubkeys_3}")
+  [[ -v user_root_ssh_pubkeys_1 ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
+  [[ -v user_root_ssh_pubkeys_2 ]] && ary_user+=("${user_root_ssh_pubkeys_2}")
+  [[ -v user_root_ssh_pubkeys_3 ]] && ary_user+=("${user_root_ssh_pubkeys_3}")

  touch "${TARGET}/etc/dropbear/initramfs/authorized_keys" && chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
  printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
@@ -106,6 +106,8 @@ setup_dropbear() {
  ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
    "${TARGET}/includes/initramfs-tools/files/"
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
+    "${TARGET}/usr/lib/cryptsetup/scripts/"

  ### Install the script to be called inside Host environment for signing 'unlock_wrapper.sh'-script.
  install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper_signer.sh" \
@@ -131,7 +133,7 @@ EOF

  ### Install the variable file to be called inside initramfs environment for setting up dropbear firewall.
  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.cnf" \
-    "${TARGET}/includes/initramfs-tools/files/"
+    "${TARGET}/includes/initramfs-tools/files/dropbear_fw.conf"

  ### Install the firewall script to be called inside initramfs environment for setting up dropbear firewall.
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.sh" \
@@ -169,6 +171,8 @@ EOF
 #   0: on success
 #######################################
 write_dropbear_conf() {
+  [[ -z "${dropbear_port:-}" ]] && dropbear_port="2222"
+
  cat << EOF >| "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
 #
 # Configuration options for the dropbear-initramfs boot scripts.
@@ -185,7 +189,7 @@ write_dropbear_conf() {
 # -K: Keepalive interval in seconds
 # -p: Specify port (and optionally address)
 # -w: Disable root login (SHOULD NOT be implemented for initramfs)
-DROPBEAR_OPTIONS="-b /etc/dropbear/initramfs/banner -c /usr/local/bin/unlock_wrapper.sh -E -I 300 -K 60 -p ${dropbear_port:-2222}"
+DROPBEAR_OPTIONS="-b /etc/dropbear/banner -c /usr/local/bin/unlock_wrapper.sh -E -I 300 -K 60 -p ${dropbear_port}"

 #
 # On local (non-NFS) mounts, interfaces matching this pattern are