forked from styper/Luks-Encrypt-Raspbian-Stretch
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
183 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
#https://github.com/johnshearing/MyEtherWalletOffline/blob/master/Air-Gap_Setup.md#setup-luks-full-disk-encryption | ||
#https://robpol86.com/raspberry_pi_luks.html | ||
#https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile | ||
|
||
#sudo cp -R ~/install/ /boot/ | ||
|
||
# Make sure only root can run our script | ||
if [ "$(id -u)" != "0" ]; then | ||
echo "This script must be run as root" 1>&2 | ||
exit 1 | ||
fi | ||
|
||
apt-get update | ||
apt-get upgrade -y | ||
#sudo rpi-update | ||
echo "Done. Reboot with: sudo reboot" | ||
#reboot #needed to load new kernel |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
#https://github.com/johnshearing/MyEtherWalletOffline/blob/master/Air-Gap_Setup.md#setup-luks-full-disk-encryption | ||
#https://robpol86.com/raspberry_pi_luks.html | ||
#https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile | ||
|
||
# Make sure only root can run our script | ||
if [ "$(id -u)" != "0" ]; then | ||
echo "This script must be run as root" 1>&2 | ||
exit 1 | ||
fi | ||
|
||
apt-get install busybox cryptsetup initramfs-tools -y | ||
apt-get install expect --no-install-recommends -y | ||
cp /boot/install/initramfs-rebuild /etc/kernel/postinst.d/initramfs-rebuild | ||
cp /boot/install/resize2fs /etc/initramfs-tools/hooks/resize2fs | ||
chmod +x /etc/kernel/postinst.d/initramfs-rebuild | ||
chmod +x /etc/initramfs-tools/hooks/resize2fs | ||
|
||
#Get UUID of /dev/mmcblk0p2 | ||
#blkid | sed -n '/dev\/mmcblk0p2/s/.*\ UUID=\"\([^\"]*\)\".*/\1/p' | ||
#change fstab from PARTUUID=XXXXXXXX-XX to the result of the command | ||
|
||
#sudo -E CRYPTSETUP=y mkinitramfs -o /boot/initramfs.gz | ||
echo 'CRYPTSETUP=y' | tee --append /etc/cryptsetup-initramfs/conf-hook > /dev/null | ||
mkinitramfs -o /boot/initramfs.gz | ||
|
||
lsinitramfs /boot/initramfs.gz | grep -P "sbin/(cryptsetup|resize2fs|fdisk|dumpe2fs|expect)" | ||
#Make sure you see sbin/resize2fs, sbin/cryptsetup, and sbin/fdisk in the output. | ||
|
||
echo 'initramfs initramfs.gz followkernel' | tee --append /boot/config.txt > /dev/null | ||
|
||
sed -i '$s/$/ cryptdevice=\/dev\/mmcblk0p2:sdcard/' /boot/cmdline.txt | ||
|
||
ROOT_CMD="$(sed -n 's|^.*root=\(\S\+\)\s.*|\1|p' /boot/cmdline.txt)" | ||
sed -i -e "s|$ROOT_CMD|/dev/mapper/sdcard|g" /boot/cmdline.txt | ||
|
||
FSTAB_CMD="$(blkid | sed -n '/dev\/mmcblk0p2/s/.*\ PARTUUID=\"\([^\"]*\)\".*/\1/p')" | ||
sed -i -e "s|PARTUUID=$FSTAB_CMD|/dev/mapper/sdcard|g" /etc/fstab | ||
|
||
echo 'sdcard /dev/mmcblk0p2 none luks' | tee --append /etc/crypttab > /dev/null | ||
|
||
echo "Done. Reboot with: sudo reboot" | ||
#reboot |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
#!/bin/sh | ||
|
||
#mkdir /tmp/boot | ||
#mount /dev/mmcblk0p1 /tmp/boot/ | ||
#/tmp/boot/install/3.disk_encrypt_initramfs.sh | ||
|
||
e2fsck -f /dev/mmcblk0p2 | ||
resize2fs -fM /dev/mmcblk0p2 | ||
|
||
#mkdir /tmp/sdcard | ||
#mount -o ro /dev/mmcblk0p2 /tmp/sdcard | ||
#BLOCK_COUNT="$(/tmp/sdcard/sbin/dumpe2fs /dev/mmcblk0p2 | sed "s/ //g" | sed -n "/Blockcount:/p" | cut -d ":" -f 2)" | ||
#umount /tmp/sdcard | ||
BLOCK_COUNT="$(dumpe2fs /dev/mmcblk0p2 | sed "s/ //g" | sed -n "/Blockcount:/p" | cut -d ":" -f 2)" | ||
echo "Block count: $BLOCK_COUNT" | ||
SHA1SUM_ROOT="$(dd bs=4k count=$BLOCK_COUNT if=/dev/mmcblk0p2 | sha1sum)" | ||
dd bs=4k count=$BLOCK_COUNT if=/dev/mmcblk0p2 of=/dev/sda | ||
SHA1SUM_EXT="$(dd bs=4k count=$BLOCK_COUNT if=/dev/sda | sha1sum)" | ||
|
||
if [ "$SHA1SUM_ROOT" == "$SHA1SUM_EXT" ]; then | ||
echo "1.Sha1sums match." | ||
cryptsetup --cipher aes-cbc-essiv:sha256 luksFormat /dev/mmcblk0p2 | ||
cryptsetup luksOpen /dev/mmcblk0p2 sdcard | ||
dd bs=4k count=$BLOCK_COUNT if=/dev/sda of=/dev/mapper/sdcard | ||
SHA1SUM_NEWROOT="$(dd bs=4k count=1516179 if=/dev/mapper/sdcard | sha1sum)" | ||
if [ "$SHA1SUM_ROOT" == "$SHA1SUM_EXT" ]; then | ||
echo "2.Sha1sums match." | ||
e2fsck -f /dev/mapper/sdcard | ||
resize2fs -f /dev/mapper/sdcard | ||
echo "Done. Reboot and rebuild initramfs." | ||
#poweroff -f | ||
#reboot -f | ||
else | ||
echo "2.Sha1sums error." | ||
fi | ||
else | ||
echo "1.Sha1sums error." | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/sh | ||
|
||
#mkdir /tmp/boot | ||
#mount /dev/mmcblk0p1 /tmp/boot/ | ||
#/tmp/boot/install/4.rebuild_initram.sh | ||
|
||
cryptsetup luksOpen /dev/mmcblk0p2 sdcard | ||
exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
#!/bin/sh | ||
|
||
sudo mkinitramfs -o /boot/initramfs.gz | ||
lsinitramfs /boot/initramfs.gz |grep -P "sbin/(cryptsetup|resize2fs|fdisk|dumpe2fs|expect)" | ||
#sudo reboot |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
#!/bin/sh -e | ||
|
||
# Rebuild initramfs.gz after kernel upgrade to include new kernel's modules. | ||
# https://github.com/Robpol86/robpol86.com/blob/master/docs/_static/initramfs-rebuild.sh | ||
# Save as (chmod +x): /etc/kernel/postinst.d/initramfs-rebuild | ||
|
||
# Remove splash from cmdline. | ||
if grep -q '\bsplash\b' /boot/cmdline.txt; then | ||
sed -i 's/ \?splash \?/ /' /boot/cmdline.txt | ||
fi | ||
|
||
# Exit if not building kernel for this Raspberry Pi's hardware version. | ||
version="$1" | ||
current_version="$(uname -r)" | ||
case "${current_version}" in | ||
*-v7+) | ||
case "${version}" in | ||
*-v7+) ;; | ||
*) exit 0 | ||
esac | ||
;; | ||
*+) | ||
case "${version}" in | ||
*-v7+) exit 0 ;; | ||
esac | ||
;; | ||
esac | ||
|
||
# Exit if rebuild cannot be performed or not needed. | ||
[ -x /usr/sbin/mkinitramfs ] || exit 0 | ||
[ -f /boot/initramfs.gz ] || exit 0 | ||
lsinitramfs /boot/initramfs.gz |grep -q "/$version$" && exit 0 # Already in initramfs. | ||
|
||
# Rebuild. | ||
mkinitramfs -o /boot/initramfs.gz "$version" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
#!/bin/sh -e | ||
|
||
# Copy resize2fs, fdisk, and other kernel modules into initramfs image. | ||
# https://github.com/Robpol86/robpol86.com/blob/master/docs/_static/resize2fs.sh | ||
# Save as (chmod +x): /etc/initramfs-tools/hooks/resize2fs | ||
|
||
COMPATIBILITY=false # Set to false to skip copying other kernel's modules. | ||
|
||
PREREQ="" | ||
prereqs () { | ||
echo "${PREREQ}" | ||
} | ||
case "${1}" in | ||
prereqs) | ||
prereqs | ||
exit 0 | ||
;; | ||
esac | ||
|
||
. /usr/share/initramfs-tools/hook-functions | ||
|
||
copy_exec /sbin/resize2fs /sbin | ||
copy_exec /sbin/fdisk /sbin | ||
copy_exec /sbin/dumpe2fs /sbin | ||
copy_exec /usr/bin/expect /sbin | ||
cp -R /usr/share/tcltk/* ${DESTDIR}/lib/ | ||
|
||
# Raspberry Pi 1 and 2+3 use different kernels. Include the other. | ||
if ${COMPATIBILITY}; then | ||
case "${version}" in | ||
*-v7+) other_version="$(echo ${version} |sed 's/-v7+$/+/')" ;; | ||
*+) other_version="$(echo ${version} |sed 's/+$/-v7+/')" ;; | ||
*) | ||
echo "Warning: kernel version doesn't end with +, ignoring." | ||
exit 0 | ||
esac | ||
cp -r /lib/modules/${other_version} ${DESTDIR}/lib/modules/ | ||
fi |