#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing || return "${ERR_GUARD_SOURCE}" ####################################### # Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'. # Globals: # ARY_CRYPT_MOUNT_PATHS # CISS_SECRET_LUKS_BACKUP # CISS_SECRET_LUKS_BOOT # CISS_SECRET_LUKS_COMMON # DIR_BAK # DIR_CNF # DIR_LOG # HMP_EPHEMERAL_ENCLABEL # HMP_EPHEMERAL_FS_LABEL # HMP_PATH_DEV_PART # HMP_PATH_ENCLABEL # HMP_PATH_LUKSUUID # VAR_CRYPT_BOOT # VAR_CRYPT_RECOVERY # VAR_CRYPT_ROOT # VAR_FINAL_FQDN # VAR_ITER_TIME # VAR_KDF_ITERATIONS # VAR_KDF_MEMORY # VAR_KDF_THREADS # VAR_LUKS_BACKUP # VAR_LUKS_PGP # VAR_LUKS_URL # VAR_RECIPE_STRING # VAR_SETUP_PART # VAR_SETUP_PATH # Arguments: # None # Returns: # 0: on success # ERR_LUKS_HEADER_ENC: on failure ####################################### partition_encryption() { ### Declare Arrays, HashMaps, and Variables. declare -Ag HMP_PATH_LUKSUUID # Used in: 3290() - [Mount Path:LUKS UUID]. # Used in: 4210() - [Mount Path:LUKS UUID]. declare -Ag HMP_EPHEMERAL_ENCLABEL # Used in: 4200() - [Mount Path:LUKS Encryption Label]. declare -Ag HMP_EPHEMERAL_FS_LABEL # Used in: 4210() - [Mount Path:Ephemeral Host FS Label]. Substituted by FS-UUID declare -Ag HMP_PATH_ENCLABEL # Used in: 4210() - [Mount Path:LUKS Encryption Label]. declare -gx VAR_CRYPT_ROOT="" # LUKS UUID of '/'. declare -gx VAR_CRYPT_RECOVERY="" # LUKS UUID of '/recovery'. declare var_encryption_path="" var_dev_part="" var_dev="" \ var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \ var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \ var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \ var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp="" \ var_temp_plain_nc_auth="" declare -a ary_luks_opts=() ### SECRETS handling --------------------------------------------------------------------------------------------------------- guard_trace on printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt" printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt" unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON guard_trace on ### SECRETS handling --------------------------------------------------------------------------------------------------------- if [[ -n "${VAR_LUKS_URL}" ]]; then VAR_LUKS_URL=${VAR_LUKS_URL%/} ### SECRETS handling ------------------------------------------------------------------------------------------------------- guard_trace on var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}" unset CISS_SECRET_LUKS_BACKUP guard_trace on ### SECRETS handling ------------------------------------------------------------------------------------------------------- do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set." fi for var_encryption_path in "${ARY_CRYPT_MOUNT_PATHS[@]}"; do ### Initialize Arrays and Variables ary_luks_opts=() ### Generates physical device location. var_dev_part="${HMP_PATH_DEV_PART["${var_encryption_path}"]}" var_dev="${var_dev_part//./}" ### Extract parameters from YAML. var_encryption_ephemeral=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.encryption.ephemeral" "${VAR_SETUP_PART}") var_encryption_integrity=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.encryption.integrity" "${VAR_SETUP_PART}") var_encryption_cipher=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.encryption.cipher" "${VAR_SETUP_PART}") var_encryption_hash=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.encryption.hash" "${VAR_SETUP_PART}") var_encryption_key=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.encryption.key" "${VAR_SETUP_PART}") var_encryption_slot=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.encryption.keyslotssize" "${VAR_SETUP_PART}") var_encryption_meta=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.encryption.metadatasize" "${VAR_SETUP_PART}") var_encryption_pbkdf=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.encryption.pbkdf" "${VAR_SETUP_PART}") var_encryption_rng=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.encryption.rng" "${VAR_SETUP_PART}") var_fs=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.filesystem.version" "${VAR_SETUP_PART}") var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev_part}.mount.path" "${VAR_SETUP_PART}") var_encryption_label=$(get_label "${var_encryption_path}" "${var_fs}" "luks") if [[ "${var_encryption_path,,}" == "/boot" ]]; then ary_luks_opts=( --key-file "${DIR_CNF}/password_luks_boot.txt" ) ary_luks_opts+=( --iter-time "${VAR_ITER_TIME:-3000}"\ ) else ary_luks_opts=( --key-file "${DIR_CNF}/password_luks_common.txt" ) ary_luks_opts+=( --pbkdf-parallel "${VAR_KDF_THREADS:-1}" --pbkdf-memory "${VAR_KDF_MEMORY:-4}" --pbkdf-force-iterations "${VAR_KDF_ITERATIONS:-4}"\ ) fi ary_luks_opts+=( --type luks2 --cipher "${var_encryption_cipher:-aes-xts-plain64}" --hash "${var_encryption_hash:-sha512}" --key-size "${var_encryption_key:-512}" --label "${var_encryption_label}" --luks2-keyslots-size "${var_encryption_slot:-16777216}" --luks2-metadata-size "${var_encryption_meta:-4194304}" --pbkdf "${var_encryption_pbkdf:-argon2id}" "--${var_encryption_rng}" --batch-mode --verbose ) [[ "${var_encryption_integrity,,}" == "true" ]] && ary_luks_opts+=( --integrity hmac-sha512 ) if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then ### Preparation of Ephemeral 'SWAP' and '/tmp' as per https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#UUID_and_LABEL case "${var_encryption_path,,}" in swap|/tmp) var_filesystem_label=$(get_label "${var_encryption_path}" "${var_fs}" "file") HMP_EPHEMERAL_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}" HMP_EPHEMERAL_FS_LABEL["${var_encryption_path}"]="${var_filesystem_label}" do_log "debug" "file_only" "3220() [HMP_EPHEMERAL_ENCLABEL]: '${var_encryption_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_encryption_path}"]}'" do_log "debug" "file_only" "3220() [HMP_EPHEMERAL_FS_LABEL]: '${var_encryption_path}' -> '${HMP_EPHEMERAL_FS_LABEL["${var_encryption_path}"]}'" ### The setup of ephemeral devices MUST stop here. continue ;; *) do_log "error" "file_only" "3220() Invalid mount path: '${var_encryption_path}' for partition: '/dev/${var_dev}'." ### There is no other need to implement ephemeral devices. continue ;; esac fi cryptsetup luksFormat "${ary_luks_opts[@]}" "/dev/${var_dev}" if [[ "${var_encryption_integrity,,}" == "true" ]]; then do_log "debug" "file_only" "3220() [cryptsetup luksFormat ${ary_luks_opts[*]} /dev/${var_dev}]." do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' dm-integrity encrypted." else do_log "debug" "file_only" "3220() [cryptsetup luksFormat ${ary_luks_opts[*]} /dev/${var_dev}]." do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' encrypted." fi ### Opening the encrypted container. if [[ "${var_encryption_path,,}" == "/boot" ]]; then cryptsetup luksOpen "/dev/${var_dev}" \ --key-file="${DIR_CNF}/password_luks_boot.txt" \ "${var_encryption_label}" else cryptsetup luksOpen "/dev/${var_dev}" \ --key-file="${DIR_CNF}/password_luks_common.txt" \ "${var_encryption_label}" fi do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'." ### Create luksDump log entry. cryptsetup luksDump "/dev/${var_dev}" >> "${DIR_LOG}/3220_cryptsetup_luksdump_${var_dev}.log" ### Store UUID of the LUKS container. var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}") [[ "${var_encryption_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}" [[ "${var_encryption_path}" == "/boot" ]] && declare -grx VAR_CRYPT_BOOT="${var_uuid}" [[ "${var_encryption_path}" == "/recovery" ]] && declare -grx VAR_CRYPT_RECOVERY="${var_uuid}" HMP_PATH_LUKSUUID["${var_encryption_path}"]="${var_uuid}" HMP_PATH_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}" do_log "debug" "file_only" "3220() [HMP_PATH_LUKSUUID]: '${var_encryption_path}' -> '${HMP_PATH_LUKSUUID["${var_encryption_path}"]}'" do_log "debug" "file_only" "3220() [HMP_PATH_ENCLABEL]: '${var_encryption_path}' -> '${HMP_PATH_ENCLABEL["${var_encryption_path}"]}'" ### Backup the LUKS Header. if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak" var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak.pgp" var_luks_backup_pgp="${DIR_BAK}/luks_header_${var_dev}.bak.pgp" case "${VAR_LUKS_PGP}" in ciss) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc" ;; physnet) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc" ;; none) do_log "error" "file_only" "3220() No PGP public key for LUKS Header encryption provided."; continue ;; *) do_log "fatal" "file_only" "3220() No valid PGP public key for LUKS Header encryption provided."; return "${ERR_LUKS_HEADER_ENC}" ;; esac if cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"; then do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'." else do_log "fatal" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header backup failed for: '${var_luks_backup_file}'." return "${ERR_LUKS_HEADER_ENC}" fi if gpg --batch --yes --no-tty --compress-level 0 \ --recipient-file "${var_pgp_publickey}" \ --encrypt -o "${var_luks_backup_pgp}" -- "${var_luks_backup_file}"; then do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header encrypted: '${var_luks_backup_pgp}'." if command -v shred >/dev/null 2>&1; then shred -vfzu -n 5 "${var_luks_backup_file}" || rm -f "${var_luks_backup_file}" else rm -f "${var_luks_backup_file}" fi else do_log "fatal" "file_only" "3220() GPG encryption failed for '${var_luks_backup_file}'. Keeping plaintext for diagnostics." return "${ERR_LUKS_HEADER_ENC}" fi if [[ -n "${VAR_LUKS_URL}" ]]; then ### SECRETS handling --------------------------------------------------------------------------------------------------- guard_trace on if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \ --upload-file "${var_luks_backup_pgp}" --user "${var_temp_plain_nc_auth}" > /dev/null 2>&1; then do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful." rm -f "${var_luks_backup_pgp}" else do_log "warn" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' failed." fi guard_trace off ### SECRETS handling --------------------------------------------------------------------------------------------------- fi fi done ### SECRETS handling --------------------------------------------------------------------------------------------------------- guard_trace on [[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth guard_trace off ### SECRETS handling --------------------------------------------------------------------------------------------------------- ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt" ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt" guard_dir; return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f partition_encryption # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh