summaryrefslogtreecommitdiffstats
path: root/debian/scripts/decrypt_derived
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 17:44:13 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 17:44:13 +0000
commit1103cc2d299a0f29631f9f5322d93efcca8098c7 (patch)
tree656763a55c9de10b1de70761e3d0b8d44056af1d /debian/scripts/decrypt_derived
parentAdding upstream version 2:2.3.7. (diff)
downloadcryptsetup-debian/2%2.3.7-1+deb11u1.tar.xz
cryptsetup-debian/2%2.3.7-1+deb11u1.zip
Adding debian version 2:2.3.7-1+deb11u1.debian/2%2.3.7-1+deb11u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/scripts/decrypt_derived')
-rw-r--r--debian/scripts/decrypt_derived32
1 files changed, 32 insertions, 0 deletions
diff --git a/debian/scripts/decrypt_derived b/debian/scripts/decrypt_derived
new file mode 100644
index 0000000..0e1e418
--- /dev/null
+++ b/debian/scripts/decrypt_derived
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# WARNING: If you use the decrypt_derived keyscript for devices with
+# persistent data (i.e. not swap or temp devices), then you will lose
+# access to that data permanently if something damages the LUKS header
+# of the LUKS device you derive from. The same applies if you luksFormat
+# the device, even if you use the same passphrase(s). A LUKS header
+# backup, or better a backup of the data on the derived device may be
+# a good idea. See the Cryptsetup FAQ on how to do this right.
+
+if [ -z "$1" ]; then
+ echo "$0: must be executed with a crypto device as argument" >&2
+ exit 1
+fi
+
+unset -v keys count
+keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null | cut -s -d' ' -f5)"
+count="$(printf '%s' "$keys" | wc -l)"
+
+if [ -n "$keys" ] && [ $count -le 1 ]; then
+ if [ "${keys#:}" = "$keys" ]; then
+ printf '%s' "$keys"
+ exit 0
+ else
+ echo "$0: device $1 uses the kernel keyring" >&2
+ fi
+elif [ $count -eq 0 ]; then
+ echo "$0: device $1 doesn't exist or isn't a crypto device" >&2
+else
+ echo "$0: more than one device match" >&2
+fi
+exit 1