msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bd438602ea9acdaff5f47b1ad204b3f5d6199d91ce581608ebc7ee8adb2a7355
CISS.debian.installer/func/3220_partition_encryption.sh
Marc S. Weidner 804788b38b V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-25 17:28:11 +02:00

248 lines
13 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Function to encrypt the respective partition on each device according to the chosen recipe string.
partition_encryption() {
### Declare Arrays and Variables.
declare -Ag HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL
declare -Ag HMP_ENCRYPTIONLABEL_UUID HMP_MOUNTPATH_ENCRYPTIONLABEL
declare var_dev var_part \
var_encryption_enable var_encryption_ephemeral var_encryption_integrity var_encryption_nuke var_encryption_cipher \
var_encryption_hash var_encryption_iter var_encryption_key var_encryption_label var_encryption_meta \
var_encryption_pbkdf var_encryption_rng var_filesystem_label var_mount_path
### Iterate over all devices in the recipe.
for var_dev in $(yq e ".recipe.${RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}"); do
### Iterate over all partitions for this device.
for var_part in $(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}"); do
### Extract parameters from YAML.
var_encryption_enable=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable" "${VAR_SETUP_PART}")
var_encryption_ephemeral=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.ephemeral" "${VAR_SETUP_PART}")
var_encryption_integrity=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.integrity" "${VAR_SETUP_PART}")
var_encryption_nuke=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.nuke" "${VAR_SETUP_PART}")
var_encryption_cipher=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.cipher" "${VAR_SETUP_PART}")
var_encryption_hash=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.hash" "${VAR_SETUP_PART}")
var_encryption_iter=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.itertime" "${VAR_SETUP_PART}")
var_encryption_key=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.key" "${VAR_SETUP_PART}")
var_encryption_label=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.label" "${VAR_SETUP_PART}")
var_encryption_meta=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.metadatasize" "${VAR_SETUP_PART}")
var_encryption_pbkdf=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.pbkdf" "${VAR_SETUP_PART}")
var_encryption_rng=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.rng" "${VAR_SETUP_PART}")
var_filesystem_label=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label" "${VAR_SETUP_PART}")
var_mount_path=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path" "${VAR_SETUP_PART}")
if [[ "${var_encryption_enable,,}" == "true" ]]; then
if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then
if [[ "${var_mount_path}" == "SWAP" ]]; then
mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M
do_log "info" "false" "Ephemeral 'SWAP' prepared on: '/dev/${var_dev}${var_part}'."
HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_DEV] : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
elif [[ "${var_mount_path}" == "/tmp" ]]; then
mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M
do_log "info" "false" "Ephemeral '/tmp' prepared on: '/dev/${var_dev}${var_part}'."
HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_DEV] : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'MOUNT_PATH': '${var_mount_path}'."
fi
elif [[ "${var_encryption_ephemeral,,}" == "false" ]]; then
if [[ "${var_encryption_integrity,,}" == "true" ]]; then
if [[ "${var_encryption_nuke,,}" == "true" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--integrity hmac-sha512 \
--batch-mode --verbose
cryptsetup luksAddKey "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--new-keyfile="${DIR_CNF}/password_nuke.txt" \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
elif [[ "${var_encryption_nuke,,}" == "false" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--integrity hmac-sha512 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'NUKE_ENABLE': '${var_encryption_nuke}'."
fi
elif [[ "${var_encryption_integrity,,}" == "false" ]]; then
if [[ "${var_encryption_nuke,,}" == "true" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--batch-mode --verbose
cryptsetup luksAddKey "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--new-keyfile="${DIR_CNF}/password_nuke.txt" \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '/${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
elif [[ ${var_encryption_nuke,,} == "false" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '/${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'NUKE_ENABLE': '${var_encryption_nuke}'."
fi
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'INTEGRITY_ENABLE': '${var_encryption_integrity}'."
fi
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'EPHEMERAL_ENABLE': '${var_encryption_ephemeral}'."
fi
else
do_log "error" "true" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'ENCRYPTION_ENABLE': '${var_encryption_enable}'."
fi
### Opening encrypted partition.
if [[ "${var_encryption_enable,,}" == "true" && ${var_encryption_ephemeral,,} == "false" ]]; then
cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
"${var_encryption_label}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
### Store UUID of the encrypted partition
# shellcheck disable=SC2155
declare var_uuid=$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")
if [[ "${var_mount_path}" = "/" ]]; then
# shellcheck disable=SC2155
declare -grx VAR_CRYPT_ROOT="$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")"
fi
HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]="${var_uuid}"
HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Saved in HashMap [HMP_ENCRYPTIONLABEL_UUID] : '${var_encryption_label}' -> '${HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]}'"
do_log "info" "false" "Saved in HashMap [HMP_MOUNTPATH_ENCRYPTIONLABEL] : '${var_mount_path}' -> '${HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]}'"
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Opening encrypted partition - Invalid value for 'ENCRYPTION_ENABLE': '${var_encryption_enable}' and 'EPHEMERAL_ENABLE': '${var_encryption_ephemeral}'."
fi
done
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
Reference in New Issue View Git Blame Copy Permalink