-
Notifications
You must be signed in to change notification settings - Fork 4
/
user-setup-encrypted-swap
executable file
·102 lines (91 loc) · 2.9 KB
/
user-setup-encrypted-swap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#! /bin/sh
set -e
# Set up encrypted swap using ecryptfs-setup-swap.
#
# This duplicates some code from user-setup-apply, but this is necessary;
# this operation involves disabling swap, can't be done until after the user
# page (normally well after partitioning, but may be before partitioning in
# noninteractive installs), and must be done before the slideshow starts to
# avoid out-of-memory problems.
#
# Fortunately, in some ways it's simpler to use tools in the live filesystem
# to do this!
. /usr/share/debconf/confmodule
db_get user-setup/encrypt-home
[ "$RET" = true ] || exit 0
if [ "$(grep -c "^/" /proc/swaps)" -eq 0 ]; then
# No swap partitions, so we can't and don't need to set up encrypted
# swap.
exit 0
fi
# We must allow partitioning to finish before we continue. Unfortunately
# there is currently no hook that will reliably run after both the user page
# and partitioning, and the parallel questions arrangement makes it hard to
# construct one, so for now we have to poll.
while pidof -x ubiquity >/dev/null && \
[ ! -e /var/lib/ubiquity/started-installing ]; do
sleep 2
done
if ! pidof -x ubiquity; then
exit 0
fi
for module in aes cbc ecb; do
modprobe -q "$module" || true
done
apt-install ecryptfs-utils 2>/dev/null
apt-install cryptsetup 2>/dev/null
# Temporarily make sure that /etc/fstab and /etc/crypttab match the target
# system.
ln -f /etc/fstab /etc/fstab.ubiquity
if [ -e /etc/crypttab ]; then
ln -f /etc/crypttab /etc/crypttab.ubiquity
else
rm -f /etc/crypttab.ubiquity
fi
cleanup () {
mv /etc/fstab.ubiquity /etc/fstab
if [ -e /etc/crypttab.ubiquity ]; then
mv /etc/crypttab.ubiquity /etc/crypttab
else
rm -f /etc/crypttab
fi
}
trap cleanup EXIT
cp -a /target/etc/fstab /etc/fstab
if [ -e /target/etc/crypttab ]; then
cp -a /target/etc/crypttab /etc/crypttab
else
rm -f /etc/crypttab
fi
if ! log-output -t ubiquity ecryptfs-setup-swap -f -n; then
echo "ecryptfs-setup-swap failed." >&2
db_input critical user-setup/encrypt-home-failed || true
db_go || true
exit 0
fi
# Zero out all encrypted swap partitions.
# cryptswap0 /dev/sda5 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
# Ideally we would do some kind of progress thing here, but it's not clear
# that we can do that sensibly while on a question page.
while read name device source options; do
if echo "$options" | grep -q "swap"; then
case $device in
LABEL=*|UUID=*)
device="$(blkid -l -o device -t "$device")"
[ "$device" ] || continue
;;
esac
if swapoff $device; then
if [ ! -b $device ]; then
ONE_MEG=$((1024*1024))
size=$(($(stat -c %s ${device})/${ONE_MEG}))
dd if=/dev/zero of=$device bs=${ONE_MEG} count=$size 2>/dev/null || true
else
dd if=/dev/zero of=$device bs=16M 2>/dev/null || true
fi
cryptdisks_start "$name" && swapon "/dev/mapper/$name" || true
fi
fi
done < /etc/crypttab
cp -a /etc/fstab /etc/crypttab /target/etc/
touch /var/lib/ubiquity/encrypted-swap