/
lvm-on-luks
136 lines (88 loc) 路 2.9 KB
/
lvm-on-luks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/usr/bin/env bash
setup_mounts() {
echo " efi: $efi"
echo " boot: $boot"
echo "root_luks: $root_luks"
echo "root_ext4: $root_ext4"
echo ""
if [[ ! -e $efi ]] || [[ ! -e $efi ]] || [[ ! -e $root_luks ]] || [[ ! -e $root_ext4 ]]; then
echo "check mounts!"
exit
fi
read -p "press enter to continue..."
set -x
# mount new install
mount $root_ext4 /mnt
mount $boot /mnt/boot
mount $efi /mnt/boot/efi
# Mount your virtual filesystems
for i in dev proc sys run; do mount --rbind /$i /mnt/$i; done
# copy necessary files to new install
cp lvm-on-luks /mnt/lvm-on-luks
}
clearboot() {
setup_mounts
chroot /mnt bash lvm-on-luks $1 $2 $3 $4 postinstall_clearboot
}
encryptedboot() {
setup_mounts
# copy crypto_keyfile script and
cp crypto_keyfile /mnt/crypto_keyfile
chroot /mnt bash lvm-on-luks $1 $2 $3 $4 postinstall_encryptedboot
}
postinstall_clearboot() {
set -x
### add luks to crypttab
# update cryptab with uuid of drive and details for keyfile decryption
echo "crypt UUID=$(blkid -s UUID -o value $root_luks) none luks" > /etc/crypttab
### update ramdisk
update-initramfs -u
### cleanup and secure new boot
chmod -R g-rwx,o-rwx /boot
rm lvm-on-luks
}
postinstall_encryptedboot() {
set -x
### configure grub
echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
echo "GRUB_CMDLINE_LINUX=\"cryptdevice=$(blkid -s UUID -o value /dev/$2$3):lvm\"" >> /etc/default/grub
grub-mkconfig -o /boot/grub/grub.cfg
grub-install /dev/$1
### create keyfile for luks
# make a new key and add it to the luks container
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
cryptsetup luksAddKey /dev/$1$2 /crypto_keyfile.bin
# copy the script which will add the key file to initram and make script executable
cp crypto_keyfile /etc/initramfs-tools/hooks/crypto_keyfile
chmod +x /etc/initramfs-tools/hooks/crypto_keyfile
### add luks to crypttab
# update cryptab with uuid of drive and details for keyfile decryption
echo "crypt UUID=$(blkid -s UUID -o value /dev/$1$2) /crypto_keyfile.bin luks,keyscript=/bin/cat" > /etc/crypttab
### update ramdisk
update-initramfs -u
### cleanup and secure new boot and keyfile. run in new install
chmod 000 /crypto_keyfile.bin
chmod -R g-rwx,o-rwx /boot
# remove ubiquity if its still there due to installer crash (?)
apt-get -y remove ubiquity
rm lvm-on-luks crypto_keyfile
}
echo "running lvm-on-luks: $5"
echo ""
if [[ $EUID -ne 0 ]]; then
echo "must run as root!"
exit
fi
if [[ "$#" -ne 5 ]]; then
echo "check parameters!"
exit
fi
efi=/dev/$1$2
boot=/dev/$1$3
root_luks=/dev/$1$4
if [[ -e "/dev/mapper/lvm-root" ]]; then
root_ext4=/dev/mapper/lvm-root
else
root_ext4=/dev/mapper/crypt
fi
$5 $@