REENC_DEV=$(echo $REENC | sed 's/:.*//')
REENC_SIZE=$(echo $REENC | sed -n 's/.*://p')
+REENC_KEY=$(getargs rd_REENCRYPT_KEY=)
+if [ -z "$REENC_KEY" ] ; then
+ REENC_KEY=none
+fi
+
if [ -n "$REENC_DEV" ] ; then
{
printf 'SUBSYSTEM!="block", GOTO="reenc_end"\n'
printf 'KERNEL!="%s", GOTO="reenc_end"\n' $REENC_DEV
printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \
--unique --onetime --name crypt-reencrypt-%%k \
- /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_SIZE"
+ /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_KEY $REENC_SIZE"
printf 'LABEL="reenc_end"\n'
} > /etc/udev/rules.d/69-reencryption.rules
fi
#!/bin/sh
+#
+# $1=$device [$2=keyfile|none [$3=size]]
+#
[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
fi
PARAMS="$device -T 1 --use-fsync -B 32"
-if [ -n "$2" ]; then
- PARAMS="$PARAMS --device-size $2"
+if [ -n "$3" ]; then
+ PARAMS="$PARAMS --device-size $3"
fi
+reenc_readkey() {
+ local keypath="${1#*:}"
+ local keydev="${1%%:*}"
+
+ local mntp=$(mkuniqdir /mnt keydev)
+ mount -r "$keydev" "$mntp" || return
+ cat "$mntp/$keypath"
+ umount "$mntp"
+ rmdir "$mntp"
+}
+
+reenc_run() {
+ local cwd=$(pwd)
+ cd /tmp
+ if [ "$1" = "none" ] ; then
+ /bin/plymouth ask-for-password \
+ --prompt "LUKS password for REENCRYPTING $device" \
+ --command="/sbin/cryptsetup-reencrypt $PARAMS"
+ else
+ info "REENCRYPT using key $1"
+ reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS
+ fi
+ cd $cwd
+}
+
info "REENCRYPT $device requested"
# flock against other interactive activities
{ flock -s 9;
- CURR=$(pwd)
- cd /tmp
- /bin/plymouth ask-for-password --prompt "LUKS password for REENCRYPTING $device" \
- --command="/sbin/cryptsetup-reencrypt $PARAMS"
- cd $CURR
+ reenc_run $2
} 9>/.console.lock
# do not ask again