misc/dracut_90reencrypt/reencrypt.sh

   1 #!/bin/sh
   2 #
   3 # $1=$device [$2=keyfile|none [$3=size]]
   4 #
   5
   6 [ -d /sys/module/dm_crypt ] || modprobe dm_crypt
   7
   8 [ -f /tmp/reencrypted ] && exit 0
   9
  10 . /lib/dracut-lib.sh
  11
  12 # if device name is /dev/dm-X, convert to /dev/mapper/name
  13 if [ "${1##/dev/dm-}" != "$1" ]; then
  14     device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
  15 else
  16     device="$1"
  17 fi
  18
  19 PARAMS="$device -T 1 --use-fsync -B 32"
  20 if [ -n "$3" ]; then
  21     PARAMS="$PARAMS --device-size $3"
  22 fi
  23
  24 reenc_readkey() {
  25     local keypath="${1#*:}"
  26     local keydev="${1%%:*}"
  27
  28     local mntp="/tmp/reencrypted-mount-tmp"
  29     mkdir "$mntp"
  30     mount -r "$keydev" "$mntp" || return
  31     cat "$mntp/$keypath"
  32     umount "$mntp"
  33     rmdir "$mntp"
  34 }
  35
  36 reenc_run() {
  37     local cwd=$(pwd)
  38     cd /tmp
  39     if [ "$1" = "none" ] ; then
  40         /bin/plymouth ask-for-password \
  41         --prompt "LUKS password for REENCRYPTING $device" \
  42         --command="/sbin/cryptsetup-reencrypt $PARAMS"
  43     else
  44         info "REENCRYPT using key $1"
  45         reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS
  46     fi
  47     cd $cwd
  48 }
  49
  50 info "REENCRYPT $device requested"
  51 # flock against other interactive activities
  52 { flock -s 9;
  53     reenc_run $2
  54 } 9>/.console.lock
  55
  56 # do not ask again
  57 >> /tmp/reencrypted
  58
  59 exit 0