CISS.debian.installer/lib/0105_arg_nuke_converter.sh

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu

guard_sourcing

#######################################
# Generates 'nuke=HASH' Bootparameter.
# Globals:
#   DIR_CNF
#   ERR_READ_NUKE_FILE
#   VAR_DEBUG_TRACE
#   VAR_NUKE_HASH
# Arguments:
#   None
# Returns:
#   0: on success
#   ERR_READ_NUKE_FILE
#######################################
nuke_passphrase() {
  declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
  declare    var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt=""

  ### No tracing for security reasons
  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
  if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
    return "${ERR_READ_NUKE_FILE}"
  fi
  ### Turn on tracing again
  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x

  if ! var_salt="$(generate_salt)"; then
    return "${ERR_GENERATE_SALT}"
  fi

  ### No tracing for security reasons
  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds=8388608 "${var_temp_plain_nuke_pwd}")
  ### Turn on tracing again
  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x

  declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
  unset var_temp_nuke_hash var_temp_plain_nuke_pwd

  do_log "debug" "file_only" "0105() NUKE hash starts with: ${VAR_NUKE_HASH:0:32}..."

  sync
  if shred -vfzu -n 5 "${var_nuke_pwd_file}" > /dev/null 2>&1; then
    do_log "info" "file_only" "0105() Password file '${var_nuke_pwd_file}': shred -vfzu -n 5 >> done."
  else
    do_log "warn" "file_only" "0105() Password file '${var_nuke_pwd_file}': shred -vfzu -n 5 >> NOT successful."
  fi
  sync

  do_log "info" "file_only" "0105() Nuke Hash generated."
  return 0
}

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh