diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
commit | fd888e850cf413955483bfb993aeeea5ea611289 (patch) | |
tree | 6148fed3d1f30272c48403f4cdefa59c2b7e1513 /debian/scripts/decrypt_derived | |
parent | Adding upstream version 2:2.6.1. (diff) | |
download | cryptsetup-debian.tar.xz cryptsetup-debian.zip |
Adding debian version 2:2.6.1-4~deb12u2.debian/2%2.6.1-4_deb12u2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/scripts/decrypt_derived')
-rw-r--r-- | debian/scripts/decrypt_derived | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/debian/scripts/decrypt_derived b/debian/scripts/decrypt_derived new file mode 100644 index 0000000..0e1e418 --- /dev/null +++ b/debian/scripts/decrypt_derived @@ -0,0 +1,32 @@ +#!/bin/sh + +# WARNING: If you use the decrypt_derived keyscript for devices with +# persistent data (i.e. not swap or temp devices), then you will lose +# access to that data permanently if something damages the LUKS header +# of the LUKS device you derive from. The same applies if you luksFormat +# the device, even if you use the same passphrase(s). A LUKS header +# backup, or better a backup of the data on the derived device may be +# a good idea. See the Cryptsetup FAQ on how to do this right. + +if [ -z "$1" ]; then + echo "$0: must be executed with a crypto device as argument" >&2 + exit 1 +fi + +unset -v keys count +keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null | cut -s -d' ' -f5)" +count="$(printf '%s' "$keys" | wc -l)" + +if [ -n "$keys" ] && [ $count -le 1 ]; then + if [ "${keys#:}" = "$keys" ]; then + printf '%s' "$keys" + exit 0 + else + echo "$0: device $1 uses the kernel keyring" >&2 + fi +elif [ $count -eq 0 ]; then + echo "$0: device $1 doesn't exist or isn't a crypto device" >&2 +else + echo "$0: more than one device match" >&2 +fi +exit 1 |