DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@aef00ec at 2025-10-26T18:19:48Z on 6f8f9a786bfa Generated at : 2025-10-26T18:19:48Z Runner Host : 6f8f9a786bfa Workflow ID : 🛡️ Shell Script Linting Git Commit : aef00ec HEAD -> master
V8.00.000.2025.06.17
2025-10-26 18:19:48 +00:00 · 2025-10-26 18:17:28 +00:00 · 2025-10-26 17:24:00 +00:00 · 2025-10-26 17:22:09 +00:00 · 2025-10-26 17:21:58 +00:00 · 2025-10-26 17:21:53 +00:00
25 changed files with 426 additions and 333 deletions
--- a/.preseed/SECRETS.yaml
+++ b/.preseed/SECRETS.yaml
@@ -34,12 +34,12 @@ secrets:
  ################################################################################################################################
  luks:
    backup:
-      note: "The value is '<share-identifier>:<password>' (colon-separated). Use the same dedicated destination and credentials across servers."
+      note: "The value is [<share-identifier>:<password>] (colon-separated). Use the same dedicated destination and credentials across servers."
      scope: "offsite-backup"
      type: "plain"
      value: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
    boot:
-      note: "Dedicated passphrase for the '/boot' partition; chosen for easy manual input via the VPS web console."
+      note: "Dedicated passphrase for the [/boot] partition; chosen for easy manual input via the VPS web console."
      scope: "luks"
      type: "plain"
      value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
@@ -59,7 +59,7 @@ secrets:
  seeds:
    mfa:
      info:
-        note: "MFA version identifier (e.g., 'totp:v1') for seamless mfa secrets rollover."
+        note: "MFA version identifier, e.g., [totp:v1] for seamless mfa secrets rollover."
        scope: "mfa"
        type: "plain"
        value: "totp:v1"
--- a/.preseed/mfa_master.txt
+++ b/.preseed/mfa_master.txt
@@ -1 +0,0 @@
-7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda
--- a/.preseed/partitioning.yaml
+++ b/.preseed/partitioning.yaml
@@ -35,7 +35,7 @@ recipe:
      luks_backup: true        # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
                               # luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
                               # Also provide the cloud access token and access passwords via
-                               # ./.preseed/password_luks_backup.txt. Yet Nextcloud only is supported.
+                               # ./.preseed/SECRETS.yaml. Yet Nextcloud only is supported.
      luks_backup_url: "https://cloud.e2ee.li/"
      luks_backup_pgp: "ciss"  # Specify the trigger for use of the LUKS Header backup encryption key.
                               # Allowed values are: 'ciss', and 'physnet'. MUST be provided.
--- a/.preseed/password_grub.txt
+++ b/.preseed/password_grub.txt
@@ -1 +0,0 @@
-PleASE_CHan3e_M!
--- a/.preseed/password_luks_backup.txt
+++ b/.preseed/password_luks_backup.txt
@@ -1 +0,0 @@
-SJF3kOdvm0o9xwT:VdmXE^2w^VTFJeJPdHkd7qNwQVf^7SDmcyZKjcfadS
--- a/.preseed/password_luks_boot.txt
+++ b/.preseed/password_luks_boot.txt
@@ -1 +0,0 @@
-Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!
--- a/.preseed/password_luks_common.txt
+++ b/.preseed/password_luks_common.txt
@@ -1 +0,0 @@
-Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!
--- a/.preseed/password_luks_nuke.txt
+++ b/.preseed/password_luks_nuke.txt
@@ -1 +0,0 @@
-THIS_IS_THE_NUKE_PASSWORD!
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -13,14 +13,14 @@
 # This file contains configurations for the CISS.debian.installer
 # Master V8.00.000.2025.06.17
 # YAML specification: 1.2
-
+#
 preseed:
  description: "Configuration values for automated installation of encrypted systems on this host via primordial-workflow™."
  created_at: "2025-10-23"
  created_for: "host_domain_tld"
  name: "CISS.debian.installer"
  version: "V8.00.000.2025.06.17"
-
+#
 ################################################################################################################################
 # APT settings
 ################################################################################################################################
@@ -454,7 +454,7 @@ grub:
  other-os: true               # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds
                               # some other OS, which is less safe as it might not be able to boot that other OS.
  password: true               # If you want to set a password for GRUB. The password MUST be set at:
-                               # '/.preseed/password_grub.txt'.
+                               # '/.preseed/SECRETS.yaml'.
  prober: false                # OS-prober did not detect any other operating systems on your computer at this time, but you
                               # may still wish to enable it in case you install more in the future.
  skip: false                  # Skip installing grub.
@@ -839,9 +839,6 @@ ssh:
 # User settings
 ################################################################################################################################
 user:
-  mfa:
-    info: "totp:v1"
-    salt: "CISS:CDI:OTP"       # + (Server_FQDN/Username)
  ##############################################################################################################################
  # Root: The superuser account (normally disabled for direct login).
  #       Key 'user.root.password' MUST contain a valid yescrypt hashed password string.
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-25; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-10-25T05:15:03Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-26T18:19:45Z".

 ⚠️ The last linter check was NOT successful. ⚠️

--- a/README.md
+++ b/README.md
@@ -11,8 +11,8 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.7-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -24,7 +24,7 @@
 # TODO: Copying Log Files to final System
 # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
 # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
-# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
+# TODO: Implement loop_pass() for other passwords 1257_yaml_xnuke.sh
 # TODO: Implement / Integrate IP, Port validation CDI_1200

 ### WHY BASH?
@@ -198,10 +198,6 @@ arg_parser "$@"
 info_echo "0103_arg_priority_check.sh"
 arg_priority_check

-### HASHING PASSWORDS.
-info_echo "0105_arg_nuke_converter.sh"
-nuke_passphrase
-

 ### CDI_1250
 info_echo "1250_yaml_parser.sh"
@@ -213,8 +209,11 @@ yaml_reader
 info_echo "1252_yaml_validator.sh"
 yaml_validator

-#info_echo "1256_secret_parser.sh"
-#yaml_secret
+info_echo "1256_yaml_xfiles.sh"
+yaml_secret
+
+info_echo "1257_yaml_xnuke.sh"
+nuke_passphrase


 ### CDI_3200
--- a/func/cdi_1250_yaml/1250_yaml_parser.sh
+++ b/func/cdi_1250_yaml/1250_yaml_parser.sh
@@ -44,28 +44,36 @@ yaml_parser() {

  ### Generate Arrays for [Grub Parameter], [Locales], [NTPSec Server FQDN], [Software Packages].
  while IFS='=' read -r var_key var_value; do
+
    var_value=${var_value#\'}
    var_value=${var_value%\'}
+
    # shellcheck disable=SC2034,SC2249
    case "${var_key}" in
+
      grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}")  ;;
      locale_locale_[0-9]*)  ARY_LOCALE+=("${var_value}")     ;;
      ntp_server_[0-9]*)     ARY_NTPSRVR+=("${var_value}")    ;;
      ssh_allow_ipv4_[0-9]*) ARY_ALLOW_IPV4+=("${var_value}") ;;
      ssh_allow_ipv6_[0-9]*) ARY_ALLOW_IPV6+=("${var_value}") ;;
      software_[0-9]*)       ARY_PACKAGES+=("${var_value}")   ;;
+
    esac
+
  done < "${VAR_PRESEED}"
+
  var_key=""

  ### Search all set variables for user_userN_name patterns.
  # shellcheck disable=SC2312
  while IFS='=' read -r var_key _; do
+
    ### Accept any of these keys: name, fullname, uid, gid, shell, password, sshpubkey, authentication_* and privileges_*
    if [[ "${var_key}" =~ ^user_user([0-9]+)_(name|fullname|uid|gid|shell|password|sshpubkey|authentication_[A-Za-z0-9_]+|privileges_[A-Za-z0-9_]+)$ ]]; then
      var_index=${BASH_REMATCH[1]}
      (( var_index > VAR_USER_MAX )) && VAR_USER_MAX=var_index
    fi
+
  done < "${VAR_PRESEED}"

  ### If nothing matched, default to 0 (only user 0).
@@ -87,7 +95,7 @@ yaml_parser() {

    # --- Quote unquoted values -------------------------------------------
    s/^(.*)=([^'\''"]+)/\1='\''\2'\''/ # wrap value in single quotes
-' "${VAR_PRESEED}"
+  ' "${VAR_PRESEED}"

  # shellcheck disable=SC1090
  . "${VAR_PRESEED}"
--- a/func/cdi_1250_yaml/1256_secret_parser.sh
+++ b/func/cdi_1250_yaml/1256_secret_parser.sh
@@ -1,206 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing || return "${ERR_GUARD_SOURCE}"
-
-#######################################
-# Debug helper: list variable names (no values).
-# Globals:
-#   CISS_SECRETS_MAP
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-ciss_secrets_list_names() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_k=""
-
-  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
-
-    printf '%s.value -> %s\n' "${var_k}" "${CISS_SECRETS_MAP[${var_k}]}"
-
-  done
-
-  return 0
-}
-### Prevents accidental 'unset -f'.
-# shellcheck disable=SC2034
-readonly -f ciss_secrets_list_names
-
-#######################################
-# Unset all previously created secret variables.
-# Globals:
-#   CISS_SECRETS_MAP
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-ciss_secrets_unset() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_k="" var_v=""
-
-  guard_trace on
-
-  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
-
-    var_v="${CISS_SECRETS_MAP[${var_k}]}"
-
-    if [[ -v "${var_v}" ]]; then
-
-      unset -v "${var_v}" 2>/dev/null || true
-
-    fi
-
-  done
-
-  CISS_SECRETS_MAP=()
-
-  guard_trace off
-
-  return 0
-}
-### Prevents accidental 'unset -f'.
-# shellcheck disable=SC2034
-readonly -f ciss_secrets_unset
-
-#######################################
-# Build the canonical var name from a dotted path (without 'secrets.' and without '.value').
-# Globals:
-#   None
-# Arguments:
-#   1: Variable path
-# Returns:
-#   0: on success
-#######################################
-ciss_secret_varname_from_path() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_path="${1:-}"
-
-  var_path="${var_path//[^A-Za-z0-9_]/_}"
-  var_path="${var_path^^}"
-
-  printf 'CISS_SECRET_%s' "${var_path}"
-  return 0
-}
-### Prevents accidental 'unset -f'.
-# shellcheck disable=SC2034
-readonly -f ciss_secret_varname_from_path
-
-#######################################
-# Purpose:
-#   High-performance parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
-#   If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
-#   No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
-# Conventions:
-#   Variables: CISS_SECRET_<UPPER_SNAKE_CASE_PATH> (PATH excludes "secrets." and trailing ".value")
-#   All with "declare -g" (no export).
-#   Mapping: CISS_SECRETS_MAP["foo.bar"]=CISS_SECRET_FOO_BAR
-# Security:
-#   No logging of values. No plaintext temp files. Streaming pipeline; no full-doc materialization.
-# Globals:
-#   CISS_SECRETS_MAP
-#   CISS_SECRETS_SOURCE
-#   DIR_CNF
-#   ERR_MISSING_AGE_KEY
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-yaml_secret() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -r  SOPS_AGE_KEY_FILE="/root/.config/sops/age/keys.txt"
-  declare     secrets_encrypted="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
-              __path="" __path_wo_prefix="" __pipe_fd="" __umask="" __value="" __varname=""
-
-  secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_yaml}")" || secrets_encrypted="false"
-
-  if [[ "${secrets_encrypted}" == "true" ]]; then
-
-    if ! command -v sops >/dev/null 2>&1; then
-
-      do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
-      return "${ERR_MISSING_AGE_BIN}"
-
-    fi
-
-    [[ -r "${SOPS_AGE_KEY_FILE}" ]] || return "${ERR_MISSING_AGE_KEY}"
-
-  fi
-
-  __umask=$(umask)
-  umask 0077
-
-  ### Create the producer as a process substitution.
-  if [[ "${secrets_encrypted}" == "true" ]]; then
-
-    ### Decrypt once, stream into yq; avoid storing full doc in memory; emits '<path>\0<value>\0' for each 'secrets.*.value'
-    # shellcheck disable=SC2016,SC2312
-    exec {__pipe_fd}< <(
-      sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -r -N -0 'leaf_paths as $p
-        | select($p[0]=="secrets" and $p[-1]=="value")
-        | ($p[0:-1] | join(".")), ((getpath($p)//"") | tostring)
-      ' -
-    )
-
-  else
-
-    # shellcheck disable=SC2016,SC2312
-    exec {__pipe_fd}< <( yq -r -N -0 'path(..) as $p | select($p[0]=="secrets" and $p[-1]=="value") | ($p[0:-1]|join("."))' -- "${secrets_yaml}" )
-
-  fi
-
-  ### Single consumer: read NUL-delimited pairs and assign variables.
-  ### Loop invariant: next read is PATH, then VALUE. Stop cleanly at EOF.
-  while :; do
-
-    ### Read path (up to NUL); break on EOF.
-    IFS= read -r -d '' __path <&"${__pipe_fd}" || break
-    echo "${__path}"
-
-    ### Read value (up to NUL); if missing (odd count), treat as empty
-    IFS= read -r -d '' __value <&"${__pipe_fd}" || __value=""
-    echo "${__value}"
-
-    ### Drop the leading 'secrets.' prefix for naming.
-    __path_wo_prefix="${__path#secrets.}"
-    echo "${__path_wo_prefix}"
-
-    __varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
-    echo "${__varname}"
-
-    ### Assign to a global variable, preserving content verbatim (including newlines).
-    unset -v "${__varname}"
-    declare -g "${__varname}"
-    printf -v "${__varname}" '%s' "${__value}"
-
-    ### Track in the map (without .value)
-    CISS_SECRETS_MAP["${__path_wo_prefix}"]="${__varname}"
-
-  done
-
-  ### Close the producer FD
-  exec {__pipe_fd}<&-
-
-  umask "${__umask}"
-
-  echo "Inside 1256()"
-  sleep 60
-
-  guard_dir; return 0
-}
-### Prevents accidental 'unset -f'.
-# shellcheck disable=SC2034
-readonly -f yaml_secret
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_1250_yaml/1256_yaml_xfiles.sh
+++ b/func/cdi_1250_yaml/1256_yaml_xfiles.sh
@@ -0,0 +1,271 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Debug helper: list variable names (no values).
+# Globals:
+#   CISS_SECRETS_MAP
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+ciss_secrets_list_names() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_k=""
+
+  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
+
+    printf '%s.value -> %s\n' "${var_k}" "${CISS_SECRETS_MAP[${var_k}]}"
+
+  done
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secrets_list_names
+
+#######################################
+# Unset all previously created secret variables.
+# Globals:
+#   CISS_SECRETS_MAP
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+ciss_secrets_unset() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_k="" var_v=""
+
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+
+  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
+
+    var_v="${CISS_SECRETS_MAP[${var_k}]}"
+
+    if [[ -v "${var_v}" ]]; then
+
+      unset -v "${var_v}" 2>/dev/null || true
+
+    fi
+
+  done
+
+  CISS_SECRETS_MAP=()
+
+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secrets_unset
+
+#######################################
+# Build the canonical var name from a dotted path (without 'secrets.' and without '.value').
+# Globals:
+#   None
+# Arguments:
+#   1: Variable path
+# Returns:
+#   0: on success
+#######################################
+ciss_secret_varname_from_path() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_path="${1:-}"
+
+  var_path="${var_path//[^A-Za-z0-9_]/_}"
+  var_path="${var_path^^}"
+
+  printf 'CISS_SECRET_%s' "${var_path}"
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secret_varname_from_path
+
+#######################################
+# Wipes the specified file securely.
+# Globals:
+#   None
+# Arguments:
+#   1: File to wipe
+# Returns:
+#   0: on success
+#######################################
+ciss_secrets_wiper() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_file="${1:-}"
+
+  if [[ -f "${var_file}" ]]; then
+    : >| "${var_file}"
+    shred -vfzu -n 5 "${var_file}" > /dev/null 2>&1 || rm -f -- "${var_file}"
+  fi
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secrets_wiper
+
+#######################################
+# Purpose:
+#   Parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
+#   If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
+#   No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
+# Conventions:
+#   Variables: CISS_SECRET_<UPPER_SNAKE_CASE_PATH> (PATH excludes "secrets." and trailing ".value")
+#   All with "declare -g" (no export).
+#   Mapping: CISS_SECRETS_MAP["foo.bar"]=CISS_SECRET_FOO_BAR
+# Globals:
+#   CISS_SECRETS_AGE
+#   CISS_SECRETS_MAP
+#   CISS_SECRETS_SOURCE
+#   DIR_CNF
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_DECRYPTION_SOPS: on failure
+#   ERR_MISSING_AGE_BIN: on failure
+#   ERR_MISSING_AGE_KEY: on failure
+#######################################
+yaml_secret() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  SOPS_AGE_KEY_FILE="${CISS_SECRETS_AGE}"
+  declare -a  __names=()
+  declare     secrets_encrypted="" secrets_if="${CISS_SECRETS_SOURCE}" secrets_of="${DIR_CNF}/SECRETS_DECRYPTED.yaml" \
+              __SECRETS="${DIR_CNF}/SECRETS_BASH.var" \
+              __base="" __name="" __umask="" __path_wo_prefix="" __val="" __varname=""
+
+  __umask=$(umask)
+  umask 0077
+
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+
+  secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
+  do_log "debug" "file_only" "1256() 'secrets_encrypted' according to secrets.x_files: '${secrets_encrypted}'."
+
+  if grep -qE '(^|\s)sops:\s*$' -- "${secrets_if}" 2>/dev/null || grep -q 'ENC\[' -- "${secrets_if}" 2>/dev/null; then
+
+    secrets_encrypted="true"
+    do_log "debug" "file_only" "1256() 'secrets_encrypted' according to heuristic mode: '${secrets_encrypted}'."
+
+  fi
+
+
+  if [[ "${secrets_encrypted}" == "true" ]]; then
+
+    if ! command -v sops >/dev/null 2>&1; then
+
+      do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
+      return "${ERR_MISSING_AGE_BIN}"
+
+    fi
+
+    [[ -r "${SOPS_AGE_KEY_FILE}" ]] || return "${ERR_MISSING_AGE_KEY}"
+
+    sops -d --input-type=yaml --output-type=yaml -- "${secrets_if}" >| "${secrets_of}"
+
+    [[ -r "${secrets_of}" ]] || return "${ERR_DECRYPTION_SOPS}"
+
+    ciss_secrets_wiper "${secrets_if}" && mv "${secrets_of}" "${secrets_if}"
+
+  fi
+
+  yq -o=shell "${secrets_if}" >| "${__SECRETS}" && ciss_secrets_wiper "${secrets_if}"
+
+  ### Keep only '*_value=' lines, normalize empty RHS, quote unquoted simple RHS.
+  LC_ALL=C sed -n -E '
+    /^[[:space:]]*(#|$)/b
+    s/^[[:space:]]*(export|declare[[:space:]]+-x)[[:space:]]+//;
+    /^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=/!b
+
+    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*$/\1='\'''\''/; t print
+    /^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=[[:space:]]*('"'"'|\"|\$'"'"')/b print
+    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=([^[[:space:]]'"'"'$][^[:space:]]*)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
+    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*(.+)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
+    :print
+    p
+  ' -- "${__SECRETS}" >| "${__SECRETS}.value_only"
+
+  mv -f -- "${__SECRETS}.value_only" "${__SECRETS}"
+
+  # shellcheck disable=SC1091 source=./${__SECRETS}
+  source "${__SECRETS}"
+
+  ciss_secrets_wiper "${__SECRETS}"
+
+  # shellcheck disable=SC2312
+  mapfile -t __names < <(printf '%s\n' "${!secrets_@}")
+
+  for __name in "${__names[@]}"; do
+
+    ### Keep only *_value variables
+    [[ "${__name}" == *_value ]] || continue
+
+    ### Validate strict Bash identifier (defensive: strip accidental CR).
+    __name="${__name%$'\r'}"
+    [[ "${__name}" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue
+
+    ### Only read if actually set; indirect check without triggering nounset.
+    if [[ -n "${!__name+x}" ]]; then
+
+      __val="${!__name}"
+
+    else
+
+      __val=""
+
+    fi
+
+    ### Strip suffix/prefix for the map key.
+    __base="${__name%_value}"
+    __path_wo_prefix="${__base#secrets_}"
+
+    ### Canonical CISS name.
+    __varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
+
+    ### Assign verbatim (preserves newlines).
+    unset -v "${__varname}"
+    declare -g "${__varname}"
+    printf -v "${__varname}" '%s' "${__val}"
+
+    CISS_SECRETS_MAP["${__path_wo_prefix}"]="${__varname}"
+
+  done
+
+  ### Hygiene: remove the intermediate variables to reduce secret surface, e.g., unset 'secrets_*_value' after transfer.
+  for __name in "${__names[@]}"; do
+
+    unset -v "${__name}"
+
+  done
+
+  umask "${__umask}"
+
+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yaml_secret
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
+++ b/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
@@ -15,18 +15,22 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generates 'nuke=HASH' Bootparameter.
 # Globals:
+#   CISS_SECRET_LUKS_NUKE
 #   DIR_CNF
 #   VAR_NUKE_HASH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_GENERATE_SALT
-#   ERR_READ_NUKE_FILE
+#   ERR_GENERATE_SALT: on failure
 #######################################
 nuke_passphrase() {
-  declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
-  declare    var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" var_nuke_rounds=""
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+
+  ### Declare Arrays, HashMaps, and Variables.
+  declare    var_nuke_pwd="${CISS_SECRET_LUKS_NUKE}"
+  declare    var_temp_nuke_hash="" var_salt="" var_nuke_rounds=""

  # shellcheck disable=SC2312
  var_nuke_rounds="$(
@@ -40,30 +44,30 @@ nuke_passphrase() {
  ' "${DIR_CNF}/partitioning.yaml" | head -n1
  )"

-  [[ ! -f "${var_nuke_pwd_file}" ]] && return 0
-
-  guard_trace on
-  if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
-    return "${ERR_READ_NUKE_FILE}"
-  fi
-  guard_trace off
+  [[ -z "${var_nuke_pwd}" ]] && return 0


  if ! var_salt="$(generate_salt)"; then
+
    return "${ERR_GENERATE_SALT}"
+
  fi

+  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_nuke_pwd}")

-  guard_trace on
-  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_temp_plain_nuke_pwd}")
-  guard_trace off
-
+  # shellcheck disable=SC2034
  declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
-  unset var_temp_nuke_hash var_temp_plain_nuke_pwd
+
+  unset var_temp_nuke_hash var_nuke_pwd CISS_SECRET_LUKS_NUKE

  do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"

+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
  guard_dir; return 0
 }
-
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f nuke_passphrase
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
+++ b/func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
@@ -27,7 +27,8 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #   0: on success
 #######################################
 benchmarking_encryption() {
-  declare var_result=""
+  ### Declare Arrays, HashMaps, and Variables.
+  declare       var_result=""
  # shellcheck disable=SC2155
  declare -girx VAR_KDF_THREADS=$(yq_val ".recipe.${VAR_RECIPE_STRING}.control.kdf.threads" "${VAR_SETUP_PART}")
  # shellcheck disable=SC2155
@@ -37,7 +38,7 @@ benchmarking_encryption() {
  sync

  echo "BENCHMARK CRYPTSETUP ARGON2ID KDF PARAMETER - DROPPING PAGES ..."
-  echo 3 >| /proc/sys/vm/drop_caches
+  echo 3 >| /proc/sys/vm/drop_caches || true

  # shellcheck disable=SC2312
  var_result=$(cryptsetup benchmark --pbkdf argon2id --iter-time "${VAR_ITER_TIME:-3000}" --pbkdf-parallel "${VAR_KDF_THREADS:-1}" 2>/dev/null \
--- a/func/cdi_3200_partitioning/3220_partition_encryption.sh
+++ b/func/cdi_3200_partitioning/3220_partition_encryption.sh
@@ -16,6 +16,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 # Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'.
 # Globals:
 #   ARY_CRYPT_MOUNT_PATHS
+#   CISS_SECRET_LUKS_BACKUP
+#   CISS_SECRET_LUKS_BOOT
+#   CISS_SECRET_LUKS_COMMON
 #   DIR_BAK
 #   DIR_CNF
 #   DIR_LOG
@@ -38,7 +41,6 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #   VAR_RECIPE_STRING
 #   VAR_SETUP_PART
 #   VAR_SETUP_PATH
-#   VAR_TEMP_PLAIN_NC_AUTH
 # Arguments:
 #   None
 # Returns:
@@ -61,15 +63,31 @@ partition_encryption() {
              var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
              var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
              var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
-              var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp=""
+              var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp="" \
+              var_temp_plain_nc_auth=""

  declare -a  ary_luks_opts=()

+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+  printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt"
+  printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt"
+  unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON
+  guard_trace on
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
  if [[ -n "${VAR_LUKS_URL}" ]]; then

    VAR_LUKS_URL=${VAR_LUKS_URL%/}
-    read_luks_backup_token
-    do_log "debug" "file_only" "3220() Command: [read_luks_backup_token]"
+
+    ### SECRETS handling -------------------------------------------------------------------------------------------------------
+    guard_trace on
+    var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}"
+    unset CISS_SECRET_LUKS_BACKUP
+    guard_trace on
+    ### SECRETS handling -------------------------------------------------------------------------------------------------------
+
+    do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set."

  fi

@@ -176,13 +194,17 @@ partition_encryption() {

    ### Opening the encrypted container.
    if [[ "${var_encryption_path,,}" == "/boot" ]]; then
+
      cryptsetup luksOpen "/dev/${var_dev}" \
        --key-file="${DIR_CNF}/password_luks_boot.txt" \
        "${var_encryption_label}"
+
    else
+
      cryptsetup luksOpen "/dev/${var_dev}" \
        --key-file="${DIR_CNF}/password_luks_common.txt" \
        "${var_encryption_label}"
+
    fi
    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."

@@ -254,10 +276,11 @@ partition_encryption() {

      if [[ -n "${VAR_LUKS_URL}" ]]; then

+        ### SECRETS handling ---------------------------------------------------------------------------------------------------
        guard_trace on

        if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
-          --upload-file "${var_luks_backup_pgp}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then
+          --upload-file "${var_luks_backup_pgp}" --user "${var_temp_plain_nc_auth}" > /dev/null 2>&1; then

          do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."

@@ -270,6 +293,7 @@ partition_encryption() {
        fi

        guard_trace off
+        ### SECRETS handling ---------------------------------------------------------------------------------------------------

      fi

@@ -277,43 +301,18 @@ partition_encryption() {

  done

-  [[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+  [[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth
+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt"
+  ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt"

  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f partition_encryption
-
-#######################################
-# Reads the Nextcloud auth token from '${DIR_CNF}/password_luks_backup.txt' into VAR_TEMP_PLAIN_NC_AUTH
-# Globals:
-#   DIR_CNF
-#   VAR_TEMP_PLAIN_NC_AUTH
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#   ERR_READ_AUTH_FILE: on failure
-#######################################
-read_luks_backup_token(){
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -r var_luks_backup_auth="${DIR_CNF}/password_luks_backup.txt"
-  declare -g VAR_TEMP_PLAIN_NC_AUTH=""
-
-  guard_trace on
-
-  if ! read_password_file "${var_luks_backup_auth}" VAR_TEMP_PLAIN_NC_AUTH; then
-
-    return "${ERR_READ_AUTH_FILE}"
-
-  fi
-
-  guard_trace off
-
-  return 0
-}
-### Prevents accidental 'unset -f'.
-# shellcheck disable=SC2034
-readonly -f read_luks_backup_token
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4200_boot/4240_update_grub_password.sh
+++ b/func/cdi_4200_boot/4240_update_grub_password.sh
@@ -15,26 +15,29 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Append the GRUB superuser block to '/etc/grub.d/40_custom'.
 # Globals:
-#   DIR_CNF
+#   CISS_SECRET_GRUB
 #   TARGET
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_READ_GRUB_FILE
+#   ERR_READ_GRUB_FILE: on failure
 #######################################
 update_grub_password() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
+  declare var_username="superadmin" var_password="" \
          var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""

+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on

-  var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}"
+  var_password="${CISS_SECRET_GRUB}" || return "${ERR_READ_GRUB_FILE}"
+  unset CISS_SECRET_GRUB

  var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")

  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------

  ### Append if not already present.
  if ! grep -q "set superusers=" "${var_of}"; then
@@ -56,6 +59,8 @@ readonly -f update_grub_password

 #######################################
 # Generate PBKDF2 password hash for GRUB.
+# Globals:
+#   None
 # Arguments:
 #   1: Username (default to superadmin).
 #   2: User password.
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -15,6 +15,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Updating root account and generation user accounts.
 # Globals:
+#   CISS_SECRET_USER_ROOT_PASSWORD
+#   CISS_SECRET_USER_ROOT_SSHPUBKEY
+#   LOG_ERR
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
@@ -27,8 +30,6 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #   user_root_authentication_access_ssh
 #   user_root_authentication_access_tty
 #   user_root_authentication_password
-#   user_root_password
-#   user_root_sshpubkey
 # Arguments:
 #   None
 # Returns:
@@ -152,7 +153,9 @@ EOF
  esac

  ### 4) Check the password policy for the 'root' account.
-  chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${user_root_password}' | /usr/sbin/chpasswd -e"
+  chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${CISS_SECRET_USER_ROOT_PASSWORD}' | /usr/sbin/chpasswd -e"
+  do_log "info" "file_only" "4520() User: 'root' password: inserted."
+  unset CISS_SECRET_USER_ROOT_PASSWORD

  case "${user_root_authentication_password,,}" in

@@ -174,9 +177,10 @@ EOF
  esac

  ### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
-  if [[ -n "${user_root_sshpubkey:-}" ]]; then
+  if [[ -n "${CISS_SECRET_USER_ROOT_SSHPUBKEY:-}" ]]; then

-    printf "%s\n" "${user_root_sshpubkey}" >| "${var_target}/root/.ssh/authorized_keys"
+    printf "%s\n" "${CISS_SECRET_USER_ROOT_SSHPUBKEY}" >| "${var_target}/root/.ssh/authorized_keys"
+    unset CISS_SECRET_USER_ROOT_SSHPUBKEY
    do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."

  fi
@@ -231,8 +235,8 @@ EOF
    tmp_uid="user_user${i}_uid"
    tmp_gid="user_user${i}_gid"
    tmp_shell="user_user${i}_shell"
-    tmp_password="user_user${i}_password"
-    tmp_sshpubkey="user_user${i}_sshpubkey"
+    tmp_password="CISS_SECRET_USER_USER${i}_PASSWORD"
+    tmp_sshpubkey="CISS_SECRET_USER_USER${i}_SSHPUBKEY"
    tmp_access_tty="user_user${i}_authentication_access_tty"
    tmp_auth_pwd="user_user${i}_authentication_password"
    tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
@@ -450,6 +454,7 @@ EOF
    find "${var_target}/home/${var_username}" -xdev -exec chown -h "${var_uid}:${var_gid}" {} +

    ### 9) Final status logging.
+    unset var_password var_sshpubkey
    do_log "info" "file_only" "4520() Created user: [${var_username}] UID: [${var_uid}] GID: [${var_gid}]"

  done
@@ -460,8 +465,6 @@ EOF

  fi

-  unset VAR_TEMP_PLAIN_MFA_SEED
-
  if ! grep -Fqx -- '-: ALL:ALL' "${var_target}/etc/security/access.conf"; then

    printf '%s\n' '-: ALL:ALL' >> "${var_target}/etc/security/access.conf"
@@ -471,6 +474,8 @@ EOF
  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf"
  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config"

+  unset VAR_TEMP_PLAIN_MFA_SEED
+
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
@@ -511,12 +516,12 @@ readonly -f eza_installer

 #######################################
 # Generates a deterministic TOTP secret based on:
-# Username, FQDN, MFA salt, MFA master seed
+#   Username, FQDN, MFA salt, MFA master seed
 # Globals:
+#   CISS_SECRET_SEEDS_MFA_INFO
+#   CISS_SECRET_SEEDS_MFA_SALT
 #   VAR_FINAL_FQDN
 #   VAR_TEMP_PLAIN_MFA_SEED
-#   user_mfa_info
-#   user_mfa_salt
 # Arguments:
 #   1: Username
 # Returns:
@@ -526,10 +531,11 @@ generate_totp_secret() {
  ### Declare Arrays, HashMaps, and Variables.
  declare  var_user="${1}"
  declare  var_host_id="${VAR_FINAL_FQDN}"
-  declare  var_salt="${user_mfa_salt}:${var_host_id}:${var_user}"
-  declare  var_info="${user_mfa_info}"
+  declare  var_salt="${CISS_SECRET_SEEDS_MFA_SALT}:${var_host_id}:${var_user}"
+  declare  var_info="${CISS_SECRET_SEEDS_MFA_INFO}"
  declare  var_secret=""

+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on

  ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
@@ -550,6 +556,7 @@ generate_totp_secret() {
  printf '%s\n' "${var_secret}"

  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------

  return 0
 }
@@ -717,33 +724,31 @@ EOF
 readonly -f hardening_sudo

 #######################################
-# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
+# Reads a 256-bit seed from '${CISS_SECRET_SEEDS_MFA_SECRET}' '(64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
 # Globals:
-#   DIR_CNF
+#   CISS_SECRET_SEEDS_MFA_SECRET
 #   VAR_TEMP_PLAIN_MFA_SEED
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_READ_SEED_FILE
+#   ERR_READ_SEED_FILE: on failure
 #######################################
 read_totp_seed(){
  ### Declare Arrays, HashMaps, and Variables.
-  declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
  declare -g VAR_TEMP_PLAIN_MFA_SEED=""

+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on

-  if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
-
-    return "${ERR_READ_SEED_FILE}"
-
-  fi
+  VAR_TEMP_PLAIN_MFA_SEED="${CISS_SECRET_SEEDS_MFA_SECRET}"
+  unset CISS_SECRET_SEEDS_MFA_SECRET

  ### Validate: exactly 64 hex.
  [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"

  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------

  return 0
 }
@@ -889,14 +894,17 @@ readonly -f write_ciss_2fa_user
 write_google_authenticator_file() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_user="${1}" var_user_id="${2}" var_group_id="${3}" var_target="${4}"
-  declare     var_secret=""
+  declare -i  i=0
+  declare     var_secret="" __umask=""
+
+  __umask=$(umask)

  case "${1}" in
    root) declare var_base="${var_target}/root"             ;;
    *)    declare var_base="${var_target}/home/${var_user}" ;;
  esac
-  declare -i  i=0

+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on

  var_secret="$(generate_totp_secret "${var_user}")"
@@ -941,9 +949,10 @@ write_google_authenticator_file() {
  } >| "${DIR_TMP}/TOTP_${var_user}.secret"
  chmod 0400 "${DIR_TMP}/TOTP_${var_user}.secret"

-  umask 0022
-
  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  umask "${__umask}"

  return 0
 }
--- a/lib/cdi_0050_debug/0051_debug_var_dump.sh
+++ b/lib/cdi_0050_debug/0051_debug_var_dump.sh
@@ -13,11 +13,13 @@
 guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
-# Capture an initial snapshot of all variables (excluding '^(BASH|_).*').
+# Capture an initial snapshot of all variables (excluding '^(BASH|_|CISS_SECRET_)').
 # Globals:
 #   VAR_DUMP_VARS_INITIAL
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 dump_vars_initial() {
  # shellcheck disable=SC2312
@@ -25,12 +27,16 @@ dump_vars_initial() {
    declare var
    while IFS= read -r var; do
      declare -p "${var}" 2> /dev/null
-    done < <(compgen -v | grep -Ev '^(BASH|_).*')
+    done < <(compgen -v | grep -Ev '^(BASH|_|CISS_SECRET_)')
  } | sort >| "${VAR_DUMP_VARS_INITIAL}"
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dump_vars_initial

 #######################################
-# Capture the final snapshot of all variables (excluding '^(BASH|_).*').
+# Capture the final snapshot of all variables (excluding '^(BASH|_|CISS_SECRET_)').
 # Globals:
 #   LOG_VAR
 #   VAR_DUMP_VARS_FINAL
@@ -38,6 +44,8 @@ dump_vars_initial() {
 #   VAR_VERSION
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 dump_vars_exiting() {
  set +x
@@ -46,7 +54,7 @@ dump_vars_exiting() {
    declare var
    while IFS= read -r var; do
      declare -p "${var}" 2>/dev/null
-    done < <(compgen -v | grep -Ev '^(BASH|_).*')
+    done < <(compgen -v | grep -Ev '^(BASH|_|CISS_SECRET_)')
  } | sort >| "${VAR_DUMP_VARS_FINAL}"
  set -x

@@ -71,5 +79,10 @@ dump_vars_exiting() {
  set -x

  rm -f "${VAR_DUMP_VARS_INITIAL}" "${VAR_DUMP_VARS_FINAL}"
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dump_vars_exiting
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/meta_loader_func.sh
+++ b/meta_loader_func.sh
@@ -28,7 +28,8 @@ source_guard "./func/cdi_1200_validation/1222_validation_preseed.sh"
 source_guard "./func/cdi_1250_yaml/1250_yaml_parser.sh"
 source_guard "./func/cdi_1250_yaml/1251_yaml_reader.sh"
 source_guard "./func/cdi_1250_yaml/1252_yaml_validator.sh"
-source_guard "./func/cdi_1250_yaml/1256_secret_parser.sh"
+source_guard "./func/cdi_1250_yaml/1256_yaml_xfiles.sh"
+source_guard "./func/cdi_1250_yaml/1257_yaml_xnuke.sh"

 ### cdi_3200_partitioning
 source_guard "./func/cdi_3200_partitioning/3200_partitioning.sh"
--- a/meta_loader_lib.sh
+++ b/meta_loader_lib.sh
@@ -42,7 +42,6 @@ source_guard "./lib/cdi_0100_arg/0101_arg_sanitizer.sh"
 source_guard "./lib/cdi_0100_arg/0102_arg_parser.sh"
 source_guard "./lib/cdi_0100_arg/0103_arg_priority_check.sh"
 source_guard "./lib/cdi_0100_arg/0104_arg_passphrase_modules.sh"
-source_guard "./lib/cdi_0100_arg/0105_arg_nuke_converter.sh"

 source_guard "./lib/cdi_0110_interactive/0110_dialog_kernel.sh"
 source_guard "./lib/cdi_0110_interactive/0115_dialog_notes.sh"
--- a/var/errors.var.sh
+++ b/var/errors.var.sh
@@ -60,6 +60,7 @@ declare -girx ERR_VERIFY_LOGROTATE=213  # Error verification by 'logrotate'.
 declare -girx ERR_READ_AUTH_FILE=212    # Error reading the Luks Backup auth token file.
 declare -girx ERR_ACCOUNT_CREATE=211    # Error creating user accounts.
 declare -girx ERR_LUKS_HEADER_ENC=210   # Error encrypting LUKS Header backup.
+declare -girx ERR_DECRYPTION_SOPS=132   # An error occurred while decrypting SECRETS.yaml.
 declare -girx ERR_MISSING_AGE_BIN=130   # SOPS binary for decryption SECRETS.yaml missing.
 declare -girx ERR_MISSING_AGE_KEY=129   # AGE key for decryption SECRETS.yaml values missing.
 declare -girx ERR_GUARD_SOURCE=128      # Module tried to load twice.
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -52,13 +52,11 @@ declare -grx VAR_SETUP_PART="${DIR_CNF}/partitioning.yaml"

 ### Initialize SECRETS.yaml variables.
 # shellcheck disable=SC2034
-declare -gA   CISS_SECRETS_MAP=()                           # YAML path (w/o '.value' and without 'secrets.') -> varname.
+declare -gA   CISS_SECRETS_MAP=()                                # YAML path (w/o '.value' and without 'secrets.') -> varname.
 # shellcheck disable=SC2034
-declare -g    CISS_SECRETS_AGE=""                           # AGE PRIVATE Keyfile to decrypt SOPS encrypted values.
+declare -g    CISS_SECRETS_AGE="/root/.config/sops/age/keys.txt" # AGE PRIVATE Keyfile to decrypt SOPS encrypted values.
 # shellcheck disable=SC2034
-declare -gr   CISS_SECRETS_SOURCE="${DIR_CNF}/SECRETS.yaml" # Effective YAML source used (plain or decrypted stream)
-# shellcheck disable=SC2034
-declare -g    CISS_SECRETS_XFILES=""                        # Derived from SOPS presence heuristic.
+declare -gr   CISS_SECRETS_SOURCE="${DIR_CNF}/SECRETS.yaml"      # Effective YAML source used (plain or decrypted stream).

 ### Base mount paths and variables for debootstrap.
 declare -grx TARGET="/target"
Author	SHA256	Message	Date
Marc S. Weidner BOT	aa94c53d65	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@aef00ec at 2025-10-26T18:19:48Z on 6f8f9a786bfa Generated at : 2025-10-26T18:19:48Z Runner Host : 6f8f9a786bfa Workflow ID : 🛡️ Shell Script Linting Git Commit : `aef00ec` HEAD -> master	2025-10-26 18:19:48 +00:00
Marc S. Weidner	aef00ec63d	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m59s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 18:17:28 +00:00
Marc S. Weidner BOT	71d189e2c7	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@403a70a at 2025-10-26T17:24:00Z on 8f92a12ee776 Generated at : 2025-10-26T17:24:00Z Runner Host : 8f92a12ee776 Workflow ID : 🛡️ Shell Script Linting Git Commit : `403a70a` HEAD -> master	2025-10-26 17:24:00 +00:00
Marc S. Weidner	403a70a886	Merge remote-tracking branch 'origin/master' All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m49s Details	2025-10-26 17:22:09 +00:00
Marc S. Weidner	3d39f44c75	V8.00.000.2025.06.17 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 17:21:58 +00:00
Marc S. Weidner BOT	28b246d280	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@25e230a at 2025-10-26T17:21:53Z on 2cb42c1f329c Generated at : 2025-10-26T17:21:53Z Runner Host : 2cb42c1f329c Workflow ID : 🛡️ Shell Script Linting Git Commit : `25e230a` HEAD -> master	2025-10-26 17:21:53 +00:00
Marc S. Weidner	25e230ace4	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m6s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 17:19:26 +00:00
Marc S. Weidner BOT	893740c2bf	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@85c46f3 at 2025-10-26T16:50:37Z on 1d5ebfdde700 Generated at : 2025-10-26T16:50:37Z Runner Host : 1d5ebfdde700 Workflow ID : 🛡️ Shell Script Linting Git Commit : `85c46f3` HEAD -> master	2025-10-26 16:50:37 +00:00
Marc S. Weidner	85c46f3c4c	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m2s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 16:48:17 +00:00
Marc S. Weidner BOT	1c83813ec4	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@0023ceb at 2025-10-26T16:27:39Z on 4f47e3dfaa73 Generated at : 2025-10-26T16:27:39Z Runner Host : 4f47e3dfaa73 Workflow ID : 🛡️ Shell Script Linting Git Commit : `0023ceb` HEAD -> master	2025-10-26 16:27:39 +00:00
Marc S. Weidner	0023ceb83e	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m42s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 16:25:44 +00:00
Marc S. Weidner BOT	d54ca7c415	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@6254d98 at 2025-10-26T16:13:03Z on 8e8821304879 Generated at : 2025-10-26T16:13:03Z Runner Host : 8e8821304879 Workflow ID : 🛡️ Shell Script Linting Git Commit : `6254d98` HEAD -> master	2025-10-26 16:13:03 +00:00
Marc S. Weidner	6254d988e6	Merge remote-tracking branch 'origin/master' All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m2s Details	2025-10-26 16:10:58 +00:00
Marc S. Weidner	3fb9ebe556	V8.00.000.2025.06.17 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 16:10:48 +00:00
Marc S. Weidner BOT	8f3763950a	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@54e72c0 at 2025-10-26T16:06:58Z on 7888ef2e57e4 Generated at : 2025-10-26T16:06:58Z Runner Host : 7888ef2e57e4 Workflow ID : 🛡️ Shell Script Linting Git Commit : `54e72c0` HEAD -> master	2025-10-26 16:06:58 +00:00
Marc S. Weidner	54e72c014b	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 16:05:01 +00:00
Marc S. Weidner BOT	a5282fa305	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@0bde766 at 2025-10-26T15:56:46Z on 5447d238476c Generated at : 2025-10-26T15:56:46Z Runner Host : 5447d238476c Workflow ID : 🛡️ Shell Script Linting Git Commit : `0bde766` HEAD -> master	2025-10-26 15:56:46 +00:00
Marc S. Weidner	0bde766c8c	Merge remote-tracking branch 'origin/master' All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m1s Details	2025-10-26 15:54:42 +00:00
Marc S. Weidner	01275e130e	V8.00.000.2025.06.17 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 15:54:33 +00:00
Marc S. Weidner BOT	a60a1c44ad	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@4fc97f6 at 2025-10-26T15:53:14Z on 354c2474ff0d Generated at : 2025-10-26T15:53:14Z Runner Host : 354c2474ff0d Workflow ID : 🛡️ Shell Script Linting Git Commit : `4fc97f6` HEAD -> master	2025-10-26 15:53:14 +00:00
Marc S. Weidner	4fc97f6988	Merge remote-tracking branch 'origin/master' All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m0s Details	2025-10-26 15:51:11 +00:00
Marc S. Weidner	ab326392e4	V8.00.000.2025.06.17 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 15:51:02 +00:00
Marc S. Weidner BOT	7920f41bd8	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@9928148 at 2025-10-26T15:50:54Z on ba42564d5f6a Generated at : 2025-10-26T15:50:54Z Runner Host : ba42564d5f6a Workflow ID : 🛡️ Shell Script Linting Git Commit : `9928148` HEAD -> master	2025-10-26 15:50:54 +00:00
Marc S. Weidner	9928148850	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m52s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 15:48:56 +00:00
Marc S. Weidner BOT	693f3252ab	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@bd099f5 at 2025-10-26T15:46:52Z on b01ff1809bf2 Generated at : 2025-10-26T15:46:52Z Runner Host : b01ff1809bf2 Workflow ID : 🛡️ Shell Script Linting Git Commit : `bd099f5` HEAD -> master	2025-10-26 15:46:52 +00:00
Marc S. Weidner	bd099f5cec	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 15:44:59 +00:00
Marc S. Weidner BOT	dc9521bac8	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@f927caf at 2025-10-26T15:33:02Z on 558d44a1dd91 Generated at : 2025-10-26T15:33:02Z Runner Host : 558d44a1dd91 Workflow ID : 🛡️ Shell Script Linting Git Commit : `f927caf` HEAD -> master	2025-10-26 15:33:02 +00:00
Marc S. Weidner	f927caf036	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m42s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 15:31:13 +00:00
Marc S. Weidner	9d0b956ece	V8.00.000.2025.06.17 Some checks failed 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 15:29:47 +00:00
Marc S. Weidner BOT	def3971add	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@a9a7db7 at 2025-10-26T15:18:45Z on cabf48d956c9 Generated at : 2025-10-26T15:18:45Z Runner Host : cabf48d956c9 Workflow ID : 🛡️ Shell Script Linting Git Commit : `a9a7db7` HEAD -> master	2025-10-26 15:18:45 +00:00
Marc S. Weidner	a9a7db7c6b	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m52s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 15:16:37 +00:00
Marc S. Weidner	a2b1fcb457	V8.00.000.2025.06.17 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-26 15:11:48 +00:00
				`@@ -1 +0,0 @@`
				`7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda`
				`@@ -1 +0,0 @@`
				`SJF3kOdvm0o9xwT:VdmXE^2w^VTFJeJPdHkd7qNwQVf^7SDmcyZKjcfadS`
				`@@ -1 +0,0 @@`
				`Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!`