V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_3200_partitioning/3220_partition_encryption.sh

@@ -174,20 +174,50 @@ partition_encryption() {
 
     fi
 
+    ### Opening the encrypted container.
+    if [[ "${var_encryption_path,,}" == "/boot" ]]; then
+      cryptsetup luksOpen "/dev/${var_dev}" \
+        --key-file="${DIR_CNF}/password_luks_boot.txt" \
+        "${var_encryption_label}"
+    else
+      cryptsetup luksOpen "/dev/${var_dev}" \
+        --key-file="${DIR_CNF}/password_luks_common.txt" \
+        "${var_encryption_label}"
+    fi
+    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
+
+    ### Create luksDump log entry.
+    cryptsetup luksDump "/dev/${var_dev}" >> "${DIR_LOG}/3220_cryptsetup_luksdump_${var_dev}.log"
+
+    ### Store UUID of the LUKS container.
+    var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
+
+    [[ "${var_encryption_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
+    [[ "${var_encryption_path}" == "/boot" ]] && declare -grx VAR_CRYPT_BOOT="${var_uuid}"
+    [[ "${var_encryption_path}" == "/recovery" ]] && declare -grx VAR_CRYPT_RECOVERY="${var_uuid}"
+
+    HMP_PATH_LUKSUUID["${var_encryption_path}"]="${var_uuid}"
+    HMP_PATH_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}"
+
+    do_log "debug" "file_only" "3220() [HMP_PATH_LUKSUUID]: '${var_encryption_path}' -> '${HMP_PATH_LUKSUUID["${var_encryption_path}"]}'"
+    do_log "debug" "file_only" "3220() [HMP_PATH_ENCLABEL]: '${var_encryption_path}' -> '${HMP_PATH_ENCLABEL["${var_encryption_path}"]}'"
+
+    ### Backup the LUKS Header.
     if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then
 
-      case "${user_root_specific}" in
-
-        ciss)    var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc" ;;
-        physnet) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc" ;;
-        *)       do_log "error" "file_only" "3220() No valid PGP public key for LUKS Header encryption provided."; return "${ERR_LUKS_HEADER_ENC}" ;;
-
-      esac
-
       var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
       var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak.pgp"
       var_luks_backup_pgp="${DIR_BAK}/luks_header_${var_dev}.bak.pgp"
 
+      case "${VAR_LUKS_PGP}" in
+
+        ciss)    var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc" ;;
+        physnet) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc" ;;
+        none)    do_log "error" "file_only" "3220() No PGP public key for LUKS Header encryption provided."; continue ;;
+        *)       do_log "fatal" "file_only" "3220() No valid PGP public key for LUKS Header encryption provided."; return "${ERR_LUKS_HEADER_ENC}" ;;
+
+      esac
+
       if cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"; then
 
         do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
@@ -207,11 +237,11 @@ partition_encryption() {
 
         if command -v shred >/dev/null 2>&1; then
 
-          shred -u -- "${var_luks_backup_file}" || rm -f -- "${var_luks_backup_file}"
+          shred -vfzu -n 5 "${var_luks_backup_file}" || rm -f "${var_luks_backup_file}"
 
         else
 
-          rm -f -- "${var_luks_backup_file}"
+          rm -f "${var_luks_backup_file}"
 
         fi
 
@@ -245,34 +275,6 @@ partition_encryption() {
 
     fi
 
-    ### Opening the encrypted container.
-    if [[ "${var_encryption_path,,}" == "/boot" ]]; then
-      cryptsetup luksOpen "/dev/${var_dev}" \
-        --key-file="${DIR_CNF}/password_luks_boot.txt" \
-        "${var_encryption_label}"
-    else
-      cryptsetup luksOpen "/dev/${var_dev}" \
-        --key-file="${DIR_CNF}/password_luks_common.txt" \
-        "${var_encryption_label}"
-    fi
-    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
-
-    ### Create luksDump log entry.
-    cryptsetup luksDump "/dev/${var_dev}" >> "${DIR_LOG}/3220_cryptsetup_luksdump_${var_dev}.log"
-
-    ### Store UUID of the LUKS container.
-    var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
-
-    [[ "${var_encryption_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
-    [[ "${var_encryption_path}" == "/boot" ]] && declare -grx VAR_CRYPT_BOOT="${var_uuid}"
-    [[ "${var_encryption_path}" == "/recovery" ]] && declare -grx VAR_CRYPT_RECOVERY="${var_uuid}"
-
-    HMP_PATH_LUKSUUID["${var_encryption_path}"]="${var_uuid}"
-    HMP_PATH_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}"
-
-    do_log "debug" "file_only" "3220() [HMP_PATH_LUKSUUID]: '${var_encryption_path}' -> '${HMP_PATH_LUKSUUID["${var_encryption_path}"]}'"
-    do_log "debug" "file_only" "3220() [HMP_PATH_ENCLABEL]: '${var_encryption_path}' -> '${HMP_PATH_ENCLABEL["${var_encryption_path}"]}'"
-
   done
 
   [[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH