CISS.debian.installer/lib/0104_arg_nuke_converter.sh

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu

guard_sourcing

#######################################
# Generates 'nuke=HASH' Bootparameter.
# Globals:
#   DIR_CNF
#   ERR_READ_NUKE_FILE
#   VAR_DEBUG_TRACE
#   VAR_NUKE_HASH
# Arguments:
#   None
# Returns:
#   0: on success
#   ERR_READ_NUKE_FILE
#######################################
nuke_passphrase() {
  declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
  declare var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt=""

  ### No tracing for security reasons
  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
  if [[ ! -f "${var_nuke_pwd_file}" ]] || ! IFS= read -r var_temp_plain_nuke_pwd < "${var_nuke_pwd_file}"; then
    return "${ERR_READ_NUKE_FILE}"
  fi
  ### Turn on tracing again
  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x

  # shellcheck disable=SC2312
  var_salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)

  ### No tracing for security reasons
  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds=8388608 "${var_temp_plain_nuke_pwd}")
  ### Turn on tracing again
  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x

  declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
  unset var_temp_nuke_hash var_temp_plain_nuke_pwd

  do_log "debug" "true" "NUKE hash starts with: ${VAR_NUKE_HASH:0:12}..."

  sync
  if shred -vfzu -n 5 "${var_nuke_pwd_file}" > /dev/null 2>&1; then
    do_log "info" "file_only" "✅ Password file '${var_nuke_pwd_file}': shred -vfzu -n 5 >> done."
  else
    do_log "warn" "false" "❌ Password file '${var_nuke_pwd_file}': shred -vfzu -n 5 >> NOT successful."
  fi
  sync

  do_log "info" "file_only" "Nuke Hash generated."
  return 0
}

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh