summaryrefslogtreecommitdiffstats
path: root/debian/scripts/decrypt_derived
diff options
context:
space:
mode:
Diffstat (limited to 'debian/scripts/decrypt_derived')
-rw-r--r--debian/scripts/decrypt_derived31
1 files changed, 31 insertions, 0 deletions
diff --git a/debian/scripts/decrypt_derived b/debian/scripts/decrypt_derived
new file mode 100644
index 0000000..864e049
--- /dev/null
+++ b/debian/scripts/decrypt_derived
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# WARNING: If you use the decrypt_derived keyscript for devices with
+# persistent data (i.e. not swap or temp devices), then you will lose
+# access to that data permanently if something damages the LUKS header
+# of the LUKS device you derive from. The same applies if you luksFormat
+# the device, even if you use the same passphrase(s). A LUKS header
+# backup, or better a backup of the data on the derived device may be
+# a good idea. See the Cryptsetup FAQ on how to do this right.
+
+if [ -z "$1" ]; then
+ echo "$0: must be executed with a crypto device as argument" >&2
+ exit 1
+fi
+
+unset -v keys count
+keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null | cut -s -d' ' -f5)"
+count="$(printf '%s' "$keys" | wc -l)"
+
+if [ -n "$keys" ] && [ $count -le 1 ]; then
+ if [ "${keys#:}" = "$keys" ]; then
+ printf '%s' "$keys" | tr -d '\n'
+ else
+ echo "$0: device $1 uses the kernel keyring"
+ fi
+elif [ $count -eq 0 ]; then
+ echo "$0: device $1 doesn't exist or isn't a crypto device" >&2
+else
+ echo "$0: more than one device match" >&2
+fi
+exit 1