summaryrefslogtreecommitdiffstats
path: root/misc/dracut_90reencrypt/reencrypt.sh
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 00:31:19 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 00:31:19 +0000
commit6e33fee6f4a7e2041dd276995b402ca036fcab14 (patch)
tree85be5c41f2715d7d4d24cfa220197f1e2c778259 /misc/dracut_90reencrypt/reencrypt.sh
parentInitial commit. (diff)
downloadcryptsetup-54904503918ad872f6b455fd60c0cbfe5d0e36e5.tar.xz
cryptsetup-54904503918ad872f6b455fd60c0cbfe5d0e36e5.zip
Adding upstream version 2:2.1.0.upstream/2%2.1.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'misc/dracut_90reencrypt/reencrypt.sh')
-rwxr-xr-xmisc/dracut_90reencrypt/reencrypt.sh84
1 files changed, 84 insertions, 0 deletions
diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
new file mode 100755
index 0000000..db09e64
--- /dev/null
+++ b/misc/dracut_90reencrypt/reencrypt.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+#
+# $1=$device [$2=keyfile|none [$3=keyslot|any [$4=size]]]
+#
+
+[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
+
+[ -d /sys/module/loop ] || modprobe loop
+
+[ -f /tmp/reencrypted ] && exit 0
+
+. /lib/dracut-lib.sh
+
+# if device name is /dev/dm-X, convert to /dev/mapper/name
+if [ "${1##/dev/dm-}" != "$1" ]; then
+ device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
+else
+ device="$1"
+fi
+
+PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32"
+if [ "$3" != "any" ]; then
+ PARAMS="$PARAMS -S $3"
+fi
+
+if [ -n "$4" ]; then
+ PARAMS="$PARAMS --device-size $4"
+fi
+
+reenc_readkey() {
+ keypath="${1#*:}"
+ keydev="${1%%:*}"
+
+ mntp="/tmp/reencrypted-mount-tmp"
+ mkdir "$mntp"
+ mount -r "$keydev" "$mntp" && cat "$mntp/$keypath"
+ umount "$mntp"
+ rm -r "$mntp"
+}
+
+# shellcheck disable=SC2086
+# shellcheck disable=SC2164
+reenc_run() {
+ cwd=$(pwd)
+ _prompt="LUKS password for REENCRYPTING $device"
+ cd /tmp
+ udevadm settle
+ if [ "$1" = "none" ] ; then
+ if [ "$2" != "any" ]; then
+ _prompt="$_prompt, using keyslot $2"
+ fi
+ /bin/plymouth ask-for-password \
+ --prompt "$_prompt" \
+ --command="/sbin/cryptsetup-reencrypt-verbose $PARAMS"
+ else
+ info "REENCRYPT using key $1"
+ reenc_readkey "$1" | /sbin/cryptsetup-reencrypt-verbose -d - $PARAMS
+ fi
+ _ret=$?
+ cd $cwd
+}
+
+info "REENCRYPT $device requested"
+# flock against other interactive activities
+# shellcheck disable=SC2086
+{ flock -s 9;
+ reenc_run $2 $3
+} 9>/.console_lock
+
+if [ $_ret -eq 0 ]; then
+ # do not ask again
+ # shellcheck disable=SC2188
+ >> /tmp/reencrypted
+ warn "Reencryption of device $device has finished successfully. Use previous"
+ warn "initramfs image (without reencrypt module) to boot the system. When"
+ warn "you leave the emergency shell, the system will reboot."
+
+ emergency_shell -n "(reboot)"
+ [ -x /usr/bin/systemctl ] && /usr/bin/systemctl reboot
+ [ -x /sbin/shutdown ] && /sbin/shutdown -r now
+fi
+
+# panic the kernel otherwise
+exit 1