msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ed061442d64aa2f6fe1b062af11fb90b8ee0a5032f7123487f44c39c29136d0
CISS.debian.installer/source/func/3.7.3.functions_installation_generate_crypttab.sh
Marc S. Weidner e8d85a39ae
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 34s
Details
🔁 Render Graphviz Diagrams. / 🔁 Render Graphviz Diagrams. (push) Successful in 24s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m35s
Details
V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-25 10:10:41 +02:00

116 lines
5.3 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.3. Functions - installation - generate crypttab #
###########################################################################################
###########################################################################################
# Generate "${TARGET}" /etc/crypttab entries.
# Globals:
# MAP_PATH_CRYPT
# MAP_UUID_CRYPT
# MODULE_ERR
# MODULE_TXT
# TARGET
# Arguments:
# None
###########################################################################################
3_7_3_functions_installation_generate_crypttab() {
declare -g -x MODULE_ERR="3_7_3_functions_installation_generate_crypttab"
declare -g -x MODULE_TXT="Generating '${TARGET}/etc/crypttab' entries"
do_show_header "${MODULE_TXT}"
# Generate '${TARGET}/etc/crypttab'.
touch "${TARGET}"/etc/crypttab
chmod 0644 "${TARGET}"/etc/crypttab
# Generate '${TARGET}/etc/crypttab' header.
# shellcheck disable=SC2129
cat << 'EOF' >> "${TARGET}"/etc/crypttab
# <name> <device> <password-file-or-none> <options>
EOF
### Reminder ###
# MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
# MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
# do_log "info" "false" "Saved in HashMap MAP_UUID_CRYPT: '${ENCRYPTION_LABEL}' -> '${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]}'"
# do_log "info" "false" "Saved in HashMap MAP_PATH_CRYPT: '${MOUNT_PATH}' -> '${MAP_PATH_CRYPT["${MOUNT_PATH}"]}'"
# Generate '${TARGET}/etc/crypttab' entries.
declare KEY=""
declare ENCRYPTION_LABEL=""
for KEY in "${MAP_PATH_CRYPT[@]}"; do
ENCRYPTION_LABEL="${MAP_PATH_CRYPT["${KEY}"]}"
if [[ ${accounts_dropbear_unlock,,} == "true" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on /dev/mapper/${MAP_PATH_CRYPT["${KEY}"]} during installation" >> "${TARGET}"/etc/crypttab
echo "${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,initramfs" >> "${TARGET}"/etc/crypttab
echo "" >> "${TARGET}"/etc/crypttab
do_log "info" "false" "'${TARGET}/etc/crypttab' entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT[${ENCRYPTION_LABEL}]} none luks,discard,initramfs'."
elif [[ ${accounts_dropbear_unlock,,} == "false" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on /dev/mapper/${MAP_PATH_CRYPT["${KEY}"]} during installation" >> "${TARGET}"/etc/crypttab
echo "${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks" >> "${TARGET}"/etc/crypttab
echo "" >> "${TARGET}"/etc/crypttab
do_log "info" "false" "'${TARGET}/etc/crypttab' entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT[${ENCRYPTION_LABEL}]} none luks,discard'."
fi
done
# TODO: Update loop to iterate thru dynamic number of ephemeral drives.
# Generate '${TARGET}/etc/crypttab' special ephemeral entries.
declare -a EPHEMERAL_MOUNT_PATH=("SWAP" "/tmp")
declare KEY=""
# MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
# MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
for KEY in "${EPHEMERAL_MOUNT_PATH[@]}"; do
if [[ ${KEY} == "SWAP" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/crypttab
# TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" >> "${TARGET}"/etc/crypttab
echo "" >> "${TARGET}"/etc/crypttab
do_log "info" "false" "'${TARGET}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096'."
elif [[ ${KEY} == "/tmp" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/crypttab
# TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" >> "${TARGET}"/etc/crypttab
echo "" >> "${TARGET}"/etc/crypttab
do_log "info" "false" "'${TARGET}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4'."
else
do_log "info" "true" "${TARGET}/etc/crypttab entries written."
fi
done
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
Reference in New Issue View Git Blame Copy Permalink