Bootscript zum Einbinden von dm-crypt/LUKS-Partitionen unter openSUSE: Unterschied zwischen den Versionen
| (Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt) | |||
| Zeile 7: | Zeile 7: | ||
<br/><br/> | <br/><br/> | ||
<pre> | <pre> | ||
| + | #!/bin/bash | ||
| + | # | ||
| + | # Author: b3ll3roph0n <b3ll3roph0n@gmx.net>, 2007 | ||
| + | # based on SuSE10's boot.crypto script by Werner Fink <werner@suse.de> | ||
| + | # | ||
| + | # /etc/init.d/boot.cryptdisks | ||
| + | # | ||
| + | ### BEGIN INIT INFO | ||
| + | # Provides: boot.cryptdisks | ||
| + | # Required-Start: boot.rootfsck | ||
| + | # Should-Start: boot.md boot.lvm boot.evms $local_fs boot.klog | ||
| + | # Required-Stop: | ||
| + | # Default-Start: B | ||
| + | # Default-Stop: | ||
| + | # Description: Enable LUKS-encrypted file systems before leaving boot phase | ||
| + | ### END INIT INFO | ||
| + | . /etc/rc.status | ||
| + | trap "echo" SIGINT SIGSEGV | ||
| + | set +e | ||
| + | # redirect to real device (e.g. in case of boot logging) | ||
| + | : ${CRYPTTAB:=/etc/crypttab} | ||
| + | : ${TIMEOUT:=120} | ||
| + | if test -z "$REDIRECT" ; then | ||
| + | if (echo -n > /dev/tty) 2>/dev/null ; then | ||
| + | REDIRECT=/dev/tty; | ||
| + | else | ||
| + | REDIRECT=/dev/console; | ||
| + | fi; | ||
| + | fi; | ||
| + | test -s $CRYPTTAB || exit 0 | ||
| + | type -p cryptsetup &> /dev/null || exit 0 | ||
| + | splash=""; | ||
| + | redirect () { | ||
| + | if test -e /proc/splash ; then | ||
| + | read splash < /proc/splash; | ||
| + | echo verbose > /proc/splash; | ||
| + | fi; | ||
| + | otty=$(stty -g); | ||
| + | stty $otty < $REDIRECT; | ||
| + | stty -nl -ixon ignbrk -brkint < $REDIRECT; | ||
| + | if test -x /etc/init.d/kbd -a -n "$RUNLEVEL" ; then | ||
| + | /etc/init.d/kbd start < $REDIRECT > $REDIRECT 2>&1; | ||
| + | fi; | ||
| + | }; | ||
| + | restore () { | ||
| + | stty $otty < $REDIRECT; | ||
| + | [[ "$splash" =~ silent ]] && echo silent > /proc/splash; | ||
| + | }; | ||
| + | ppid=0; | ||
| + | prmt=""; | ||
| + | setprompt () { | ||
| + | if test -t 1 -a "$TERM" != "raw" -a "$TERM" != "dumb" && stty size <&1 > /dev/null 2>&1 | ||
| + | then | ||
| + | ( | ||
| + | trap "exit 0" SIGTERM; | ||
| + | trap "echo" SIGINT SIGSEGV; | ||
| + | usleep 10000; | ||
| + | while test $TIMEOUT -gt 0 ; do | ||
| + | echo -en "\r${prmt}"; | ||
| + | sleep 2; | ||
| + | : $((TIMEOUT-=2)); | ||
| + | done; | ||
| + | ) & ppid=$!; | ||
| + | else | ||
| + | usleep 10000; | ||
| + | echo -en "\r${prmt}"; | ||
| + | ppid=0; | ||
| + | fi; | ||
| + | }; | ||
| + | unsetprompt () { | ||
| + | local ret=$?; | ||
| + | test $ppid -gt 0 && kill -15 $ppid; | ||
| + | ppid=0; | ||
| + | return $ret; | ||
| + | }; | ||
| + | |||
| + | rc_reset | ||
| + | main_status=0; | ||
| + | |||
| + | case "$1" in | ||
| + | start|b) | ||
| + | redirect; | ||
| + | |||
| + | # loading modules | ||
| + | modprobe -q aes; | ||
| + | modprobe -q dm-crypt; | ||
| + | rc_status | ||
| + | test $? -ne 0 && continue; | ||
| + | |||
| + | echo "Activating crypto devices using $CRYPTTAB ... "; | ||
| + | while read cryptname physdev mountp filesys crypto copts keyfile ; do | ||
| + | |||
| + | case "$cryptname" in | ||
| + | \#*|"") continue ;; | ||
| + | esac; | ||
| + | |||
| + | rc_status | ||
| + | if test $? -gt 0 ; then | ||
| + | main_status=1; | ||
| + | fi; | ||
| + | rc_reset | ||
| + | doskip=0; | ||
| + | |||
| + | # does the device exit? | ||
| + | test -b $physdev; | ||
| + | if test $? -ne 0 ; then | ||
| + | echo "${extd}${physdev}: No such device${norm}"; | ||
| + | continue; | ||
| + | fi; | ||
| + | |||
| + | # does the mount point exit? | ||
| + | if [ $filesys != "swap" ]; then | ||
| + | test -d $mountp; | ||
| + | rc_status | ||
| + | if test $? -ne 0 ; then | ||
| + | echo "${extd}${mountp}: No such directory${norm}"; | ||
| + | continue; | ||
| + | fi; | ||
| + | fi; | ||
| + | |||
| + | while true; do | ||
| + | |||
| + | # restore virgin state | ||
| + | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
| + | cryptsetup luksClose $cryptname &> /dev/null || true | ||
| + | else | ||
| + | cryptsetup remove $cryptname &> /dev/null || true | ||
| + | fi; | ||
| + | |||
| + | # open encrypted device | ||
| + | if [ $filesys == "swap" ]; then | ||
| + | cryptsetup --cipher=$crypto -h $copts --key-file=$keyfile create $cryptname $physdev &>/dev/null; | ||
| + | break; | ||
| + | else | ||
| + | if [ ${keyfile:0:1} = "/" -a -s $keyfile ]; then | ||
| + | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
| + | cryptsetup --key-file=$keyfile luksOpen $physdev $cryptname &>/dev/null; | ||
| + | else | ||
| + | cryptsetup --cipher=$crypto --key-file=$keyfile --key-size=$copts create $cryptname $physdev &>/dev/null; | ||
| + | fi; | ||
| + | else | ||
| + | prmt="${extd}Please enter passphrase for $physdev: ${norm}"; | ||
| + | setprompt; | ||
| + | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
| + | cryptsetup --timeout=$TIMEOUT luksOpen $physdev $cryptname < $REDIRECT > $REDIRECT 2>&1 | ||
| + | else | ||
| + | cryptsetup --timeout=$TIMEOUT --cipher=$crypto --key-size=$copts create $cryptname $physdev < $REDIRECT > $REDIRECT 2>&1 | ||
| + | fi; | ||
| + | unsetprompt; | ||
| + | fi; | ||
| + | rc_status | ||
| + | test $? -ne 0 && continue 2; | ||
| + | # check if we've success | ||
| + | if mount -t $filesys -n -o ro /dev/mapper/$cryptname $mountp &> /dev/null ; then | ||
| + | umount -n $mountp &> /dev/null || true | ||
| + | break | ||
| + | else | ||
| + | umount -n $mountp &> /dev/null || true | ||
| + | echo "${warn}An error occured. Maybe the wrong passphrase was"; | ||
| + | echo "entered or the file system on $physdev is corrupted.${norm}"; | ||
| + | while true ; do | ||
| + | echo "${extd}Do you want to retry entering the passphrase or${norm}"; | ||
| + | echo -n "${extd}do you want to continue with a file system check?${norm}"; | ||
| + | read -p " ([${extd}yes${norm}]/${extd}no${norm}/${extd}check${norm}/) " prolo < $REDIRECT | ||
| + | case "$prolo" in | ||
| + | [yY][eE][sS]|[yY]|"") | ||
| + | continue 2 ;; | ||
| + | [nN][oO]|[nN]) | ||
| + | doskip=1; | ||
| + | break 2 ;; | ||
| + | [Cc][hH][eE][Cc][kK]|[Cc]) | ||
| + | break 2 ;; | ||
| + | esac; | ||
| + | done; | ||
| + | fi; | ||
| + | break; | ||
| + | fi; | ||
| + | done; | ||
| + | |||
| + | # does the user have skipped this entry? | ||
| + | if test $doskip -gt 0 ; then | ||
| + | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
| + | cryptsetup luksClose $cryptname &> /dev/null || true | ||
| + | else | ||
| + | cryptsetup remove $cryptname &> /dev/null || true | ||
| + | fi; | ||
| + | continue; | ||
| + | fi; | ||
| + | |||
| + | # check for valid super blocks | ||
| + | case "$filesys" in | ||
| + | ext2) tune2fs -l /dev/mapper/$cryptname &> /dev/null ;; | ||
| + | reiserfs) debugreiserfs /dev/mapper/$cryptname &> /dev/null ;; | ||
| + | swap) mkswap /dev/mapper/$cryptname &> /dev/null ;; | ||
| + | *) true ;; | ||
| + | esac; | ||
| + | rc_status | ||
| + | if test $? -gt 0 ; then | ||
| + | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
| + | cryptsetup luksClose $cryptname &> /dev/null || true | ||
| + | else | ||
| + | cryptsetup remove $cryptname &> /dev/null || true | ||
| + | fi; | ||
| + | continue; | ||
| + | fi; | ||
| + | |||
| + | # checking the structure on the loop device | ||
| + | if [ $filesys != "swap" ]; then | ||
| + | fsck -a -t $filesys /dev/mapper/$cryptname; | ||
| + | FSCK_RETURN=$?; | ||
| + | else | ||
| + | FSCK_RETURN=0; | ||
| + | fi; | ||
| + | test $FSCK_RETURN -lt 2; | ||
| + | rc_status | ||
| + | if test $FSCK_RETURN -gt 1; then | ||
| + | echo "fsck of /dev/mapper/$cryptname failed. Please repair manually."; | ||
| + | echo "${warn}Warning: do never try to repair if you have entered the wrong passphrase.${norm}"; | ||
| + | PS1="(repair filesystem) # "; | ||
| + | /sbin/sulogin $REDIRECT < $REDIRECT > $REDIRECT 2>&1 | ||
| + | sync; | ||
| + | fi; | ||
| + | |||
| + | # Mounting device to mount point | ||
| + | if [ $filesys == "swap" ]; then | ||
| + | swapon /dev/mapper/$cryptname; | ||
| + | else | ||
| + | mount -t $filesys /dev/mapper/$cryptname $mountp; | ||
| + | fi; | ||
| + | rc_status | ||
| + | |||
| + | done < $CRYPTTAB | ||
| + | test $main_status -gt 0 && rc_failed 1 || true | ||
| + | rc_status -v1 | ||
| + | restore | ||
| + | ;; | ||
| + | stop) | ||
| + | reverse () { | ||
| + | local _line | ||
| + | while read -r _line ; do | ||
| + | case "$_line" in | ||
| + | \#*|"") continue ;; | ||
| + | esac; | ||
| + | reverse; | ||
| + | echo "$_line"; | ||
| + | break; | ||
| + | done; | ||
| + | }; | ||
| + | echo "Turning off crypto devices using $CRYPTTAB ... " | ||
| + | while read cryptname physdev mountp filesys crypto copts keyfile ; do | ||
| + | |||
| + | case "$cryptname" in | ||
| + | \#*|"") continue ;; | ||
| + | esac; | ||
| + | |||
| + | rc_status | ||
| + | if test $? -gt 0 ; then | ||
| + | main_status=1; | ||
| + | fi; | ||
| + | rc_reset | ||
| + | |||
| + | # umount device | ||
| + | if [ $filesys == "swap" ]; then | ||
| + | swapoff /dev/mapper/$cryptname; | ||
| + | else | ||
| + | if [ `cat /proc/mounts | grep /dev/mapper/$cryptname | wc -l` -gt 0 ]; then | ||
| + | umount /dev/mapper/$cryptname; | ||
| + | fi; | ||
| + | fi; | ||
| + | rc_status | ||
| + | |||
| + | # close device | ||
| + | if [ -e /dev/mapper/$cryptname ]; then | ||
| + | if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then | ||
| + | cryptsetup luksClose $cryptname &> /dev/null || true | ||
| + | else | ||
| + | cryptsetup remove $cryptname &> /dev/null || true | ||
| + | fi; | ||
| + | rc_status | ||
| + | fi; | ||
| + | |||
| + | done < <(reverse < $CRYPTTAB) | ||
| + | test $main_status -gt 0 && rc_failed 1 || true | ||
| + | rc_status -v1 | ||
| + | ;; | ||
| + | status) | ||
| + | rc_failed 4 | ||
| + | rc_status -v | ||
| + | ;; | ||
| + | restart) | ||
| + | $0 stop | ||
| + | $0 start | ||
| + | rc_status | ||
| + | ;; | ||
| + | *) | ||
| + | echo "Usage: $0 {start|stop|status|restart}" | ||
| + | exit 1 | ||
| + | ;; | ||
| + | esac; | ||
| + | |||
| + | rc_exit | ||
| + | |||
| + | # End of file | ||
</pre> | </pre> | ||
<br/><br/> | <br/><br/> | ||
| + | |||
[[Shellscripte|Zurück zu den Shellscripten]]<br/> | [[Shellscripte|Zurück zu den Shellscripten]]<br/> | ||
| − | [[ | + | [[Security | Zurück zu Security]]<br /> |
| + | [[Category:Security]] | ||
[[Category:Konsole]] | [[Category:Konsole]] | ||
[[Kategorie:Scripte]] | [[Kategorie:Scripte]] | ||
Aktuelle Version vom 29. April 2007, 13:48 Uhr
Bootscript zum Einbinden von dm-crypt/LUKS-Partitionen unter openSUSE
Ein Bootscript um mit cryptsetup (inklusive LUKS-Erweiterung) verschlüsselte Partitionen beim Systemstart von openSUSE einzubinden.
Eine ausführliche Beschreibung findet sich hier: Verschlüsselung: dm-crypt/luks unter openSUSE
#!/bin/bash
#
# Author: b3ll3roph0n <b3ll3roph0n@gmx.net>, 2007
# based on SuSE10's boot.crypto script by Werner Fink <werner@suse.de>
#
# /etc/init.d/boot.cryptdisks
#
### BEGIN INIT INFO
# Provides: boot.cryptdisks
# Required-Start: boot.rootfsck
# Should-Start: boot.md boot.lvm boot.evms $local_fs boot.klog
# Required-Stop:
# Default-Start: B
# Default-Stop:
# Description: Enable LUKS-encrypted file systems before leaving boot phase
### END INIT INFO
. /etc/rc.status
trap "echo" SIGINT SIGSEGV
set +e
# redirect to real device (e.g. in case of boot logging)
: ${CRYPTTAB:=/etc/crypttab}
: ${TIMEOUT:=120}
if test -z "$REDIRECT" ; then
if (echo -n > /dev/tty) 2>/dev/null ; then
REDIRECT=/dev/tty;
else
REDIRECT=/dev/console;
fi;
fi;
test -s $CRYPTTAB || exit 0
type -p cryptsetup &> /dev/null || exit 0
splash="";
redirect () {
if test -e /proc/splash ; then
read splash < /proc/splash;
echo verbose > /proc/splash;
fi;
otty=$(stty -g);
stty $otty < $REDIRECT;
stty -nl -ixon ignbrk -brkint < $REDIRECT;
if test -x /etc/init.d/kbd -a -n "$RUNLEVEL" ; then
/etc/init.d/kbd start < $REDIRECT > $REDIRECT 2>&1;
fi;
};
restore () {
stty $otty < $REDIRECT;
[[ "$splash" =~ silent ]] && echo silent > /proc/splash;
};
ppid=0;
prmt="";
setprompt () {
if test -t 1 -a "$TERM" != "raw" -a "$TERM" != "dumb" && stty size <&1 > /dev/null 2>&1
then
(
trap "exit 0" SIGTERM;
trap "echo" SIGINT SIGSEGV;
usleep 10000;
while test $TIMEOUT -gt 0 ; do
echo -en "\r${prmt}";
sleep 2;
: $((TIMEOUT-=2));
done;
) & ppid=$!;
else
usleep 10000;
echo -en "\r${prmt}";
ppid=0;
fi;
};
unsetprompt () {
local ret=$?;
test $ppid -gt 0 && kill -15 $ppid;
ppid=0;
return $ret;
};
rc_reset
main_status=0;
case "$1" in
start|b)
redirect;
# loading modules
modprobe -q aes;
modprobe -q dm-crypt;
rc_status
test $? -ne 0 && continue;
echo "Activating crypto devices using $CRYPTTAB ... ";
while read cryptname physdev mountp filesys crypto copts keyfile ; do
case "$cryptname" in
\#*|"") continue ;;
esac;
rc_status
if test $? -gt 0 ; then
main_status=1;
fi;
rc_reset
doskip=0;
# does the device exit?
test -b $physdev;
if test $? -ne 0 ; then
echo "${extd}${physdev}: No such device${norm}";
continue;
fi;
# does the mount point exit?
if [ $filesys != "swap" ]; then
test -d $mountp;
rc_status
if test $? -ne 0 ; then
echo "${extd}${mountp}: No such directory${norm}";
continue;
fi;
fi;
while true; do
# restore virgin state
if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then
cryptsetup luksClose $cryptname &> /dev/null || true
else
cryptsetup remove $cryptname &> /dev/null || true
fi;
# open encrypted device
if [ $filesys == "swap" ]; then
cryptsetup --cipher=$crypto -h $copts --key-file=$keyfile create $cryptname $physdev &>/dev/null;
break;
else
if [ ${keyfile:0:1} = "/" -a -s $keyfile ]; then
if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then
cryptsetup --key-file=$keyfile luksOpen $physdev $cryptname &>/dev/null;
else
cryptsetup --cipher=$crypto --key-file=$keyfile --key-size=$copts create $cryptname $physdev &>/dev/null;
fi;
else
prmt="${extd}Please enter passphrase for $physdev: ${norm}";
setprompt;
if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then
cryptsetup --timeout=$TIMEOUT luksOpen $physdev $cryptname < $REDIRECT > $REDIRECT 2>&1
else
cryptsetup --timeout=$TIMEOUT --cipher=$crypto --key-size=$copts create $cryptname $physdev < $REDIRECT > $REDIRECT 2>&1
fi;
unsetprompt;
fi;
rc_status
test $? -ne 0 && continue 2;
# check if we've success
if mount -t $filesys -n -o ro /dev/mapper/$cryptname $mountp &> /dev/null ; then
umount -n $mountp &> /dev/null || true
break
else
umount -n $mountp &> /dev/null || true
echo "${warn}An error occured. Maybe the wrong passphrase was";
echo "entered or the file system on $physdev is corrupted.${norm}";
while true ; do
echo "${extd}Do you want to retry entering the passphrase or${norm}";
echo -n "${extd}do you want to continue with a file system check?${norm}";
read -p " ([${extd}yes${norm}]/${extd}no${norm}/${extd}check${norm}/) " prolo < $REDIRECT
case "$prolo" in
[yY][eE][sS]|[yY]|"")
continue 2 ;;
[nN][oO]|[nN])
doskip=1;
break 2 ;;
[Cc][hH][eE][Cc][kK]|[Cc])
break 2 ;;
esac;
done;
fi;
break;
fi;
done;
# does the user have skipped this entry?
if test $doskip -gt 0 ; then
if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then
cryptsetup luksClose $cryptname &> /dev/null || true
else
cryptsetup remove $cryptname &> /dev/null || true
fi;
continue;
fi;
# check for valid super blocks
case "$filesys" in
ext2) tune2fs -l /dev/mapper/$cryptname &> /dev/null ;;
reiserfs) debugreiserfs /dev/mapper/$cryptname &> /dev/null ;;
swap) mkswap /dev/mapper/$cryptname &> /dev/null ;;
*) true ;;
esac;
rc_status
if test $? -gt 0 ; then
if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then
cryptsetup luksClose $cryptname &> /dev/null || true
else
cryptsetup remove $cryptname &> /dev/null || true
fi;
continue;
fi;
# checking the structure on the loop device
if [ $filesys != "swap" ]; then
fsck -a -t $filesys /dev/mapper/$cryptname;
FSCK_RETURN=$?;
else
FSCK_RETURN=0;
fi;
test $FSCK_RETURN -lt 2;
rc_status
if test $FSCK_RETURN -gt 1; then
echo "fsck of /dev/mapper/$cryptname failed. Please repair manually.";
echo "${warn}Warning: do never try to repair if you have entered the wrong passphrase.${norm}";
PS1="(repair filesystem) # ";
/sbin/sulogin $REDIRECT < $REDIRECT > $REDIRECT 2>&1
sync;
fi;
# Mounting device to mount point
if [ $filesys == "swap" ]; then
swapon /dev/mapper/$cryptname;
else
mount -t $filesys /dev/mapper/$cryptname $mountp;
fi;
rc_status
done < $CRYPTTAB
test $main_status -gt 0 && rc_failed 1 || true
rc_status -v1
restore
;;
stop)
reverse () {
local _line
while read -r _line ; do
case "$_line" in
\#*|"") continue ;;
esac;
reverse;
echo "$_line";
break;
done;
};
echo "Turning off crypto devices using $CRYPTTAB ... "
while read cryptname physdev mountp filesys crypto copts keyfile ; do
case "$cryptname" in
\#*|"") continue ;;
esac;
rc_status
if test $? -gt 0 ; then
main_status=1;
fi;
rc_reset
# umount device
if [ $filesys == "swap" ]; then
swapoff /dev/mapper/$cryptname;
else
if [ `cat /proc/mounts | grep /dev/mapper/$cryptname | wc -l` -gt 0 ]; then
umount /dev/mapper/$cryptname;
fi;
fi;
rc_status
# close device
if [ -e /dev/mapper/$cryptname ]; then
if $(/sbin/cryptsetup isLuks $physdev 2>/dev/null); then
cryptsetup luksClose $cryptname &> /dev/null || true
else
cryptsetup remove $cryptname &> /dev/null || true
fi;
rc_status
fi;
done < <(reverse < $CRYPTTAB)
test $main_status -gt 0 && rc_failed 1 || true
rc_status -v1
;;
status)
rc_failed 4
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
;;
esac;
rc_exit
# End of file
