Bootscript zum Einbinden von dm-crypt/LUKS-Partitionen unter openSUSE: Unterschied zwischen den Versionen
Zeile 7: | Zeile 7: | ||
<br/><br/> | <br/><br/> | ||
<pre> | <pre> | ||
+ | #!/bin/bash | ||
+ | # | ||
+ | # Author: b3ll3roph0n <b3ll3roph0n@gmx.net>, 2007 | ||
+ | # based on SuSE10's boot.crypto script by Werner Fink <werner@suse.de> | ||
+ | # | ||
+ | # /etc/init.d/boot.cryptdisks | ||
+ | # | ||
+ | ### BEGIN INIT INFO | ||
+ | # Provides: boot.cryptdisks | ||
+ | # Required-Start: boot.rootfsck | ||
+ | # Should-Start: boot.md boot.lvm boot.evms $local_fs boot.klog | ||
+ | # Required-Stop: | ||
+ | # Default-Start: B | ||
+ | # Default-Stop: | ||
+ | # Description: Enable LUKS-encrypted file systems before leaving boot phase | ||
+ | ### END INIT INFO | ||
+ | . /etc/rc.status | ||
+ | trap "echo" SIGINT SIGSEGV | ||
+ | set +e | ||
+ | # redirect to real device (e.g. in case of boot logging) | ||
+ | : ${CRYPTTAB:=/etc/crypttab} | ||
+ | : ${TIMEOUT:=120} | ||
+ | if test -z "$REDIRECT" ; then | ||
+ | if (echo -n > /dev/tty) 2>/dev/null ; then | ||
+ | REDIRECT=/dev/tty; | ||
+ | else | ||
+ | REDIRECT=/dev/console; | ||
+ | fi; | ||
+ | fi; | ||
+ | test -s $CRYPTTAB || exit 0 | ||
+ | type -p cryptsetup &> /dev/null || exit 0 | ||
+ | splash=""; | ||
+ | redirect () { | ||
+ | if test -e /proc/splash ; then | ||
+ | read splash < /proc/splash; | ||
+ | echo verbose > /proc/splash; | ||
+ | fi; | ||
+ | otty=$(stty -g); | ||
+ | stty $otty < $REDIRECT; | ||
+ | stty -nl -ixon ignbrk -brkint < $REDIRECT; | ||
+ | if test -x /etc/init.d/kbd -a -n "$RUNLEVEL" ; then | ||
+ | /etc/init.d/kbd start < $REDIRECT > $REDIRECT 2>&1; | ||
+ | fi; | ||
+ | }; | ||
+ | restore () { | ||
+ | stty $otty < $REDIRECT; | ||
+ | [[ "$splash" =~ silent ]] && echo silent > /proc/splash; | ||
+ | }; | ||
+ | ppid=0; | ||
+ | prmt=""; | ||
+ | setprompt () { | ||
+ | if test -t 1 -a "$TERM" != "raw" -a "$TERM" != "dumb" && stty size <&1 > /dev/null 2>&1 | ||
+ | then | ||
+ | ( | ||
+ | trap "exit 0" SIGTERM; | ||
+ | trap "echo" SIGINT SIGSEGV; | ||
+ | usleep 10000; | ||
+ | while test $TIMEOUT -gt 0 ; do | ||
+ | echo -en "\r${prmt}"; | ||
+ | sleep 2; | ||
+ | : $((TIMEOUT-=2)); | ||
+ | done; | ||
+ | ) & ppid=$!; | ||
+ | else | ||
+ | usleep 10000; | ||
+ | echo -en "\r${prmt}"; | ||
+ | ppid=0; | ||
+ | fi; | ||
+ | }; | ||
+ | unsetprompt () { | ||
+ | local ret=$?; | ||
+ | test $ppid -gt 0 && kill -15 $ppid; | ||
+ | ppid=0; | ||
+ | return $ret; | ||
+ | }; | ||
+ | |||
+ | rc_reset | ||
+ | main_status=0; | ||
+ | |||
+ | case "$1" in | ||
+ | start|b) | ||
+ | redirect; | ||
+ | |||
+ | # loading modules | ||
+ | modprobe -q aes; | ||
+ | modprobe -q dm-crypt; | ||
+ | rc_status | ||
+ | test $? -ne 0 && continue; | ||
+ | |||
+ | echo "Activating crypto devices using $CRYPTTAB ... "; | ||
+ | while read cryptname physdev mountp filesys crypto copts keyfile ; do | ||
+ | |||
+ | case "$cryptname" in | ||
+ | \#*|"") continue ;; | ||
+ | esac; | ||
+ | |||
+ | rc_status | ||
+ | if test $? -gt 0 ; then | ||
+ | main_status=1; | ||
+ | fi; | ||
+ | rc_reset | ||
+ | doskip=0; | ||
+ | |||
+ | # does the device exit? | ||
+ | test -b $physdev; | ||
+ | if test $? -ne 0 ; then | ||
+ | echo "${extd}${physdev}: No such device${norm}"; | ||
+ | continue; | ||
+ | fi; | ||
+ | |||
+ | # does the mount point exit? | ||
+ | if [ $filesys != "swap" ]; then | ||
+ | test -d $mountp; | ||
+ | rc_status | ||
+ | if test $? -ne 0 ; then | ||
+ | echo "${extd}${mountp}: No such directory${norm}"; | ||
+ | continue; | ||
+ | fi; | ||
+ | fi; | ||
+ | |||
+ | while true; do | ||
+ | |||
+ | # restore virgin state | ||
+ | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
+ | cryptsetup luksClose $cryptname &> /dev/null || true | ||
+ | else | ||
+ | cryptsetup remove $cryptname &> /dev/null || true | ||
+ | fi; | ||
+ | |||
+ | # open encrypted device | ||
+ | if [ $filesys == "swap" ]; then | ||
+ | cryptsetup --cipher=$crypto -h $copts --key-file=$keyfile create $cryptname $physdev &>/dev/null; | ||
+ | break; | ||
+ | else | ||
+ | if [ ${keyfile:0:1} = "/" -a -s $keyfile ]; then | ||
+ | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
+ | cryptsetup --key-file=$keyfile luksOpen $physdev $cryptname &>/dev/null; | ||
+ | else | ||
+ | cryptsetup --cipher=$crypto --key-file=$keyfile --key-size=$copts create $cryptname $physdev &>/dev/null; | ||
+ | fi; | ||
+ | else | ||
+ | prmt="${extd}Please enter passphrase for $physdev: ${norm}"; | ||
+ | setprompt; | ||
+ | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
+ | cryptsetup --timeout=$TIMEOUT luksOpen $physdev $cryptname < $REDIRECT > $REDIRECT 2>&1 | ||
+ | else | ||
+ | cryptsetup --timeout=$TIMEOUT --cipher=$crypto --key-size=$copts create $cryptname $physdev < $REDIRECT > $REDIRECT 2>&1 | ||
+ | fi; | ||
+ | unsetprompt; | ||
+ | fi; | ||
+ | rc_status | ||
+ | test $? -ne 0 && continue 2; | ||
+ | # check if we've success | ||
+ | if mount -t $filesys -n -o ro /dev/mapper/$cryptname $mountp &> /dev/null ; then | ||
+ | umount -n $mountp &> /dev/null || true | ||
+ | break | ||
+ | else | ||
+ | umount -n $mountp &> /dev/null || true | ||
+ | echo "${warn}An error occured. Maybe the wrong passphrase was"; | ||
+ | echo "entered or the file system on $physdev is corrupted.${norm}"; | ||
+ | while true ; do | ||
+ | echo "${extd}Do you want to retry entering the passphrase or${norm}"; | ||
+ | echo -n "${extd}do you want to continue with a file system check?${norm}"; | ||
+ | read -p " ([${extd}yes${norm}]/${extd}no${norm}/${extd}check${norm}/) " prolo < $REDIRECT | ||
+ | case "$prolo" in | ||
+ | [yY][eE][sS]|[yY]|"") | ||
+ | continue 2 ;; | ||
+ | [nN][oO]|[nN]) | ||
+ | doskip=1; | ||
+ | break 2 ;; | ||
+ | [Cc][hH][eE][Cc][kK]|[Cc]) | ||
+ | break 2 ;; | ||
+ | esac; | ||
+ | done; | ||
+ | fi; | ||
+ | break; | ||
+ | fi; | ||
+ | done; | ||
+ | |||
+ | # does the user have skipped this entry? | ||
+ | if test $doskip -gt 0 ; then | ||
+ | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
+ | cryptsetup luksClose $cryptname &> /dev/null || true | ||
+ | else | ||
+ | cryptsetup remove $cryptname &> /dev/null || true | ||
+ | fi; | ||
+ | continue; | ||
+ | fi; | ||
+ | |||
+ | # check for valid super blocks | ||
+ | case "$filesys" in | ||
+ | ext2) tune2fs -l /dev/mapper/$cryptname &> /dev/null ;; | ||
+ | reiserfs) debugreiserfs /dev/mapper/$cryptname &> /dev/null ;; | ||
+ | swap) mkswap /dev/mapper/$cryptname &> /dev/null ;; | ||
+ | *) true ;; | ||
+ | esac; | ||
+ | rc_status | ||
+ | if test $? -gt 0 ; then | ||
+ | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
+ | cryptsetup luksClose $cryptname &> /dev/null || true | ||
+ | else | ||
+ | cryptsetup remove $cryptname &> /dev/null || true | ||
+ | fi; | ||
+ | continue; | ||
+ | fi; | ||
+ | |||
+ | # checking the structure on the loop device | ||
+ | if [ $filesys != "swap" ]; then | ||
+ | fsck -a -t $filesys /dev/mapper/$cryptname; | ||
+ | FSCK_RETURN=$?; | ||
+ | else | ||
+ | FSCK_RETURN=0; | ||
+ | fi; | ||
+ | test $FSCK_RETURN -lt 2; | ||
+ | rc_status | ||
+ | if test $FSCK_RETURN -gt 1; then | ||
+ | echo "fsck of /dev/mapper/$cryptname failed. Please repair manually."; | ||
+ | echo "${warn}Warning: do never try to repair if you have entered the wrong passphrase.${norm}"; | ||
+ | PS1="(repair filesystem) # "; | ||
+ | /sbin/sulogin $REDIRECT < $REDIRECT > $REDIRECT 2>&1 | ||
+ | sync; | ||
+ | fi; | ||
+ | |||
+ | # Mounting device to mount point | ||
+ | if [ $filesys == "swap" ]; then | ||
+ | swapon /dev/mapper/$cryptname; | ||
+ | else | ||
+ | mount -t $filesys /dev/mapper/$cryptname $mountp; | ||
+ | fi; | ||
+ | rc_status | ||
+ | |||
+ | done < $CRYPTTAB | ||
+ | test $main_status -gt 0 && rc_failed 1 || true | ||
+ | rc_status -v1 | ||
+ | restore | ||
+ | ;; | ||
+ | stop) | ||
+ | reverse () { | ||
+ | local _line | ||
+ | while read -r _line ; do | ||
+ | case "$_line" in | ||
+ | \#*|"") continue ;; | ||
+ | esac; | ||
+ | reverse; | ||
+ | echo "$_line"; | ||
+ | break; | ||
+ | done; | ||
+ | }; | ||
+ | echo "Turning off crypto devices using $CRYPTTAB ... " | ||
+ | while read cryptname physdev mountp filesys crypto copts keyfile ; do | ||
+ | |||
+ | case "$cryptname" in | ||
+ | \#*|"") continue ;; | ||
+ | esac; | ||
+ | |||
+ | rc_status | ||
+ | if test $? -gt 0 ; then | ||
+ | main_status=1; | ||
+ | fi; | ||
+ | rc_reset | ||
+ | |||
+ | # umount device | ||
+ | if [ $filesys == "swap" ]; then | ||
+ | swapoff /dev/mapper/$cryptname; | ||
+ | else | ||
+ | if [ `cat /proc/mounts | grep /dev/mapper/$cryptname | wc -l` -gt 0 ]; then | ||
+ | umount /dev/mapper/$cryptname; | ||
+ | fi; | ||
+ | fi; | ||
+ | rc_status | ||
+ | |||
+ | # close device | ||
+ | if [ -e /dev/mapper/$cryptname ]; then | ||
+ | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
+ | cryptsetup luksClose $cryptname &> /dev/null || true | ||
+ | else | ||
+ | cryptsetup remove $cryptname &> /dev/null || true | ||
+ | fi; | ||
+ | rc_status | ||
+ | fi; | ||
+ | |||
+ | done < <(reverse < $CRYPTTAB) | ||
+ | test $main_status -gt 0 && rc_failed 1 || true | ||
+ | rc_status -v1 | ||
+ | ;; | ||
+ | status) | ||
+ | rc_failed 4 | ||
+ | rc_status -v | ||
+ | ;; | ||
+ | restart) | ||
+ | $0 stop | ||
+ | $0 start | ||
+ | rc_status | ||
+ | ;; | ||
+ | *) | ||
+ | echo "Usage: $0 {start|stop|status|restart}" | ||
+ | exit 1 | ||
+ | ;; | ||
+ | esac; | ||
+ | |||
+ | rc_exit | ||
+ | |||
+ | # End of file | ||
</pre> | </pre> | ||
<br/><br/> | <br/><br/> |
Version vom 29. April 2007, 13:04 Uhr
Bootscript zum Einbinden von dm-crypt/LUKS-Partitionen unter openSUSE
Ein Bootscript um mit cryptsetup (inklusive LUKS-Erweiterung) verschlüsselte Partitionen beim Systemstart von openSUSE einzubinden.
Eine ausführliche Beschreibung findet sich hier: Verschlüsselung: dm-crypt/luks unter openSUSE
#!/bin/bash # # Author: b3ll3roph0n <b3ll3roph0n@gmx.net>, 2007 # based on SuSE10's boot.crypto script by Werner Fink <werner@suse.de> # # /etc/init.d/boot.cryptdisks # ### BEGIN INIT INFO # Provides: boot.cryptdisks # Required-Start: boot.rootfsck # Should-Start: boot.md boot.lvm boot.evms $local_fs boot.klog # Required-Stop: # Default-Start: B # Default-Stop: # Description: Enable LUKS-encrypted file systems before leaving boot phase ### END INIT INFO . /etc/rc.status trap "echo" SIGINT SIGSEGV set +e # redirect to real device (e.g. in case of boot logging) : ${CRYPTTAB:=/etc/crypttab} : ${TIMEOUT:=120} if test -z "$REDIRECT" ; then if (echo -n > /dev/tty) 2>/dev/null ; then REDIRECT=/dev/tty; else REDIRECT=/dev/console; fi; fi; test -s $CRYPTTAB || exit 0 type -p cryptsetup &> /dev/null || exit 0 splash=""; redirect () { if test -e /proc/splash ; then read splash < /proc/splash; echo verbose > /proc/splash; fi; otty=$(stty -g); stty $otty < $REDIRECT; stty -nl -ixon ignbrk -brkint < $REDIRECT; if test -x /etc/init.d/kbd -a -n "$RUNLEVEL" ; then /etc/init.d/kbd start < $REDIRECT > $REDIRECT 2>&1; fi; }; restore () { stty $otty < $REDIRECT; [[ "$splash" =~ silent ]] && echo silent > /proc/splash; }; ppid=0; prmt=""; setprompt () { if test -t 1 -a "$TERM" != "raw" -a "$TERM" != "dumb" && stty size <&1 > /dev/null 2>&1 then ( trap "exit 0" SIGTERM; trap "echo" SIGINT SIGSEGV; usleep 10000; while test $TIMEOUT -gt 0 ; do echo -en "\r${prmt}"; sleep 2; : $((TIMEOUT-=2)); done; ) & ppid=$!; else usleep 10000; echo -en "\r${prmt}"; ppid=0; fi; }; unsetprompt () { local ret=$?; test $ppid -gt 0 && kill -15 $ppid; ppid=0; return $ret; }; rc_reset main_status=0; case "$1" in start|b) redirect; # loading modules modprobe -q aes; modprobe -q dm-crypt; rc_status test $? -ne 0 && continue; echo "Activating crypto devices using $CRYPTTAB ... "; while read cryptname physdev mountp filesys crypto copts keyfile ; do case "$cryptname" in \#*|"") continue ;; esac; rc_status if test $? -gt 0 ; then main_status=1; fi; rc_reset doskip=0; # does the device exit? test -b $physdev; if test $? -ne 0 ; then echo "${extd}${physdev}: No such device${norm}"; continue; fi; # does the mount point exit? if [ $filesys != "swap" ]; then test -d $mountp; rc_status if test $? -ne 0 ; then echo "${extd}${mountp}: No such directory${norm}"; continue; fi; fi; while true; do # restore virgin state if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then cryptsetup luksClose $cryptname &> /dev/null || true else cryptsetup remove $cryptname &> /dev/null || true fi; # open encrypted device if [ $filesys == "swap" ]; then cryptsetup --cipher=$crypto -h $copts --key-file=$keyfile create $cryptname $physdev &>/dev/null; break; else if [ ${keyfile:0:1} = "/" -a -s $keyfile ]; then if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then cryptsetup --key-file=$keyfile luksOpen $physdev $cryptname &>/dev/null; else cryptsetup --cipher=$crypto --key-file=$keyfile --key-size=$copts create $cryptname $physdev &>/dev/null; fi; else prmt="${extd}Please enter passphrase for $physdev: ${norm}"; setprompt; if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then cryptsetup --timeout=$TIMEOUT luksOpen $physdev $cryptname < $REDIRECT > $REDIRECT 2>&1 else cryptsetup --timeout=$TIMEOUT --cipher=$crypto --key-size=$copts create $cryptname $physdev < $REDIRECT > $REDIRECT 2>&1 fi; unsetprompt; fi; rc_status test $? -ne 0 && continue 2; # check if we've success if mount -t $filesys -n -o ro /dev/mapper/$cryptname $mountp &> /dev/null ; then umount -n $mountp &> /dev/null || true break else umount -n $mountp &> /dev/null || true echo "${warn}An error occured. Maybe the wrong passphrase was"; echo "entered or the file system on $physdev is corrupted.${norm}"; while true ; do echo "${extd}Do you want to retry entering the passphrase or${norm}"; echo -n "${extd}do you want to continue with a file system check?${norm}"; read -p " ([${extd}yes${norm}]/${extd}no${norm}/${extd}check${norm}/) " prolo < $REDIRECT case "$prolo" in [yY][eE][sS]|[yY]|"") continue 2 ;; [nN][oO]|[nN]) doskip=1; break 2 ;; [Cc][hH][eE][Cc][kK]|[Cc]) break 2 ;; esac; done; fi; break; fi; done; # does the user have skipped this entry? if test $doskip -gt 0 ; then if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then cryptsetup luksClose $cryptname &> /dev/null || true else cryptsetup remove $cryptname &> /dev/null || true fi; continue; fi; # check for valid super blocks case "$filesys" in ext2) tune2fs -l /dev/mapper/$cryptname &> /dev/null ;; reiserfs) debugreiserfs /dev/mapper/$cryptname &> /dev/null ;; swap) mkswap /dev/mapper/$cryptname &> /dev/null ;; *) true ;; esac; rc_status if test $? -gt 0 ; then if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then cryptsetup luksClose $cryptname &> /dev/null || true else cryptsetup remove $cryptname &> /dev/null || true fi; continue; fi; # checking the structure on the loop device if [ $filesys != "swap" ]; then fsck -a -t $filesys /dev/mapper/$cryptname; FSCK_RETURN=$?; else FSCK_RETURN=0; fi; test $FSCK_RETURN -lt 2; rc_status if test $FSCK_RETURN -gt 1; then echo "fsck of /dev/mapper/$cryptname failed. Please repair manually."; echo "${warn}Warning: do never try to repair if you have entered the wrong passphrase.${norm}"; PS1="(repair filesystem) # "; /sbin/sulogin $REDIRECT < $REDIRECT > $REDIRECT 2>&1 sync; fi; # Mounting device to mount point if [ $filesys == "swap" ]; then swapon /dev/mapper/$cryptname; else mount -t $filesys /dev/mapper/$cryptname $mountp; fi; rc_status done < $CRYPTTAB test $main_status -gt 0 && rc_failed 1 || true rc_status -v1 restore ;; stop) reverse () { local _line while read -r _line ; do case "$_line" in \#*|"") continue ;; esac; reverse; echo "$_line"; break; done; }; echo "Turning off crypto devices using $CRYPTTAB ... " while read cryptname physdev mountp filesys crypto copts keyfile ; do case "$cryptname" in \#*|"") continue ;; esac; rc_status if test $? -gt 0 ; then main_status=1; fi; rc_reset # umount device if [ $filesys == "swap" ]; then swapoff /dev/mapper/$cryptname; else if [ `cat /proc/mounts | grep /dev/mapper/$cryptname | wc -l` -gt 0 ]; then umount /dev/mapper/$cryptname; fi; fi; rc_status # close device if [ -e /dev/mapper/$cryptname ]; then if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then cryptsetup luksClose $cryptname &> /dev/null || true else cryptsetup remove $cryptname &> /dev/null || true fi; rc_status fi; done < <(reverse < $CRYPTTAB) test $main_status -gt 0 && rc_failed 1 || true rc_status -v1 ;; status) rc_failed 4 rc_status -v ;; restart) $0 stop $0 start rc_status ;; *) echo "Usage: $0 {start|stop|status|restart}" exit 1 ;; esac; rc_exit # End of file