3 # $1=$device [$2=keyfile|none [$3=keyslot|any [$4=size]]]
6 [ -d /sys/module/dm_crypt ] || modprobe dm_crypt
8 [ -d /sys/module/loop ] || modprobe loop
10 [ -f /tmp/reencrypted ] && exit 0
14 # if device name is /dev/dm-X, convert to /dev/mapper/name
15 if [ "${1##/dev/dm-}" != "$1" ]; then
16 device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
21 PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32"
22 if [ "$3" != "any" ]; then
23 PARAMS="$PARAMS -S $3"
27 PARAMS="$PARAMS --device-size $4"
34 mntp="/tmp/reencrypted-mount-tmp"
36 mount -r "$keydev" "$mntp" && cat "$mntp/$keypath"
41 # shellcheck disable=SC2086
42 # shellcheck disable=SC2164
45 _prompt="LUKS password for REENCRYPTING $device"
48 if [ "$1" = "none" ] ; then
49 if [ "$2" != "any" ]; then
50 _prompt="$_prompt, using keyslot $2"
52 /bin/plymouth ask-for-password \
54 --command="/sbin/cryptsetup-reencrypt-verbose $PARAMS"
56 info "REENCRYPT using key $1"
57 reenc_readkey "$1" | /sbin/cryptsetup-reencrypt-verbose -d - $PARAMS
63 info "REENCRYPT $device requested"
64 # flock against other interactive activities
65 # shellcheck disable=SC2086
70 if [ $_ret -eq 0 ]; then
72 # shellcheck disable=SC2188
74 warn "Reencryption of device $device has finished successfully. Use previous"
75 warn "initramfs image (without reencrypt module) to boot the system. When"
76 warn "you leave the emergency shell, the system will reboot."
78 emergency_shell -n "(reboot)"
79 [ -x /usr/bin/systemctl ] && /usr/bin/systemctl reboot
80 [ -x /sbin/shutdown ] && /sbin/shutdown -r now
83 # panic the kernel otherwise