msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🔁 Render Graphviz Diagrams. / 🔁 Render Graphviz Diagrams. (push) Successful in 39s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m45s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-20 19:43:09 +02:00
parent 55a0cb6884
commit e1f09ca170
27 changed files with 1100 additions and 909 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
func/3220_partition_encryption.sh
View File

@@ -34,10 +34,10 @@ partition_encryption() {
### Declare Arrays and Variables.
declare -Agx HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL HMP_EPHEMERAL_FS_LABEL HMP_PATH_LUKSUUID HMP_PATH_ENCLABEL
declare var_dev var_part \
var_encryption_enable var_encryption_ephemeral var_encryption_integrity var_encryption_nuke var_encryption_cipher \
var_encryption_enable var_encryption_ephemeral var_encryption_integrity var_encryption_cipher \
var_encryption_hash var_encryption_iter var_encryption_key var_encryption_label var_encryption_meta \
var_encryption_pbkdf var_encryption_rng var_filesystem_label var_mount_path var_uuid
declare -a ary_devs ary_parts
declare -a ary_devs=() ary_parts=() ary_luks_opts=()
### Iterate over all devices in the recipe.
readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
@@ -51,7 +51,6 @@ partition_encryption() {
var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable" "${VAR_SETUP_PART}")
var_encryption_ephemeral=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.ephemeral" "${VAR_SETUP_PART}")
var_encryption_integrity=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.integrity" "${VAR_SETUP_PART}")
var_encryption_nuke=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.nuke" "${VAR_SETUP_PART}")
var_encryption_cipher=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.cipher" "${VAR_SETUP_PART}")
var_encryption_hash=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.hash" "${VAR_SETUP_PART}")
var_encryption_iter=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.itertime" "${VAR_SETUP_PART}")
@@ -67,21 +66,26 @@ partition_encryption() {
continue
fi
declare -a ary_luks_opts=(
--key-file="${DIR_CNF}/password.txt"
--type luks2
--cipher "${var_encryption_cipher}"
--hash "${var_encryption_hash}"
--iter-time "${var_encryption_iter}"
--key-size "${var_encryption_key}"
--label "${var_encryption_label}"
--luks2-metadata-size "${var_encryption_meta}"
--pbkdf "${var_encryption_pbkdf}"
--"${var_encryption_rng}"
--batch-mode --verbose
if [[ "${var_mount_path,,}" == "/boot" ]]; then
ary_luks_opts=( "--key-file=${DIR_CNF}/password_luks_boot.txt" )
else
ary_luks_opts=( "--key-file=${DIR_CNF}/password_luks_common.txt" )
fi
ary_luks_opts+=(
"--type luks2"
"--cipher ${var_encryption_cipher}"
"--hash ${var_encryption_hash}"
"--iter-time ${var_encryption_iter}"
"--key-size ${var_encryption_key}"
"--label ${var_encryption_label}"
"--luks2-metadata-size ${var_encryption_meta}"
"--pbkdf ${var_encryption_pbkdf}"
"--${var_encryption_rng}"
"--batch-mode --verbose"
)
[[ "${var_encryption_integrity,,}" == "true" ]] && ary_luks_opts+=(--integrity hmac-sha512)
[[ "${var_encryption_integrity,,}" == "true" ]] && ary_luks_opts+=( "--integrity hmac-sha512" )
if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then
@@ -113,22 +117,28 @@ partition_encryption() {
if [[ "${var_encryption_integrity,,}" == "true" ]]; then
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
else
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted."
do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' encrypted."
fi
cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak" "/dev/${var_dev}${var_part}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
### Opening encrypted container.
cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
"${var_encryption_label}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
if [[ "${var_mount_path,,}" == "/boot" ]]; then
cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password_luks_boot.txt" \
"${var_encryption_label}"
else
cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password_luks_common.txt" \
"${var_encryption_label}"
fi
do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
### Store UUID of the LUKS container.
var_uuid=$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")