misc/dracut_90reencrypt/reencrypt.sh

   1 #!/bin/sh
   2 #
   3 # $1=$device [$2=keyfile|none [$3=size]]
   4 #
   5
   6 [ -d /sys/module/dm_crypt ] || modprobe dm_crypt
   7
   8 [ -f /tmp/reencrypted ] && exit 0
   9
  10 . /lib/dracut-lib.sh
  11
  12 # if device name is /dev/dm-X, convert to /dev/mapper/name
  13 if [ "${1##/dev/dm-}" != "$1" ]; then
  14     device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
  15 else
  16     device="$1"
  17 fi
  18
  19 PARAMS="$device -T 1 --use-fsync -B 32"
  20 if [ -n "$3" ]; then
  21     PARAMS="$PARAMS --device-size $3"
  22 fi
  23
  24 reenc_readkey() {
  25     local keypath="${1#*:}"
  26     local keydev="${1%%:*}"
  27
  28     local mntp="/tmp/reencrypted-mount-tmp"
  29     mkdir "$mntp"
  30     mount -r "$keydev" "$mntp" && cat "$mntp/$keypath"
  31     umount "$mntp"
  32     rm -r "$mntp"
  33 }
  34
  35 reenc_run() {
  36     local cwd=$(pwd)
  37     cd /tmp
  38     if [ "$1" = "none" ] ; then
  39         /bin/plymouth ask-for-password \
  40         --prompt "LUKS password for REENCRYPTING $device" \
  41         --command="/sbin/cryptsetup-reencrypt $PARAMS"
  42     else
  43         info "REENCRYPT using key $1"
  44         reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS
  45     fi
  46     cd $cwd
  47 }
  48
  49 info "REENCRYPT $device requested"
  50 # flock against other interactive activities
  51 { flock -s 9;
  52     reenc_run $2
  53 } 9>/.console.lock
  54
  55 # do not ask again
  56 >> /tmp/reencrypted
  57
  58 exit 0