diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 17:44:13 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 17:44:13 +0000 |
commit | 1103cc2d299a0f29631f9f5322d93efcca8098c7 (patch) | |
tree | 656763a55c9de10b1de70761e3d0b8d44056af1d /debian/scripts/decrypt_keyctl | |
parent | Adding upstream version 2:2.3.7. (diff) | |
download | cryptsetup-debian.tar.xz cryptsetup-debian.zip |
Adding debian version 2:2.3.7-1+deb11u1.debian/2%2.3.7-1+deb11u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/scripts/decrypt_keyctl')
-rw-r--r-- | debian/scripts/decrypt_keyctl | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/debian/scripts/decrypt_keyctl b/debian/scripts/decrypt_keyctl new file mode 100644 index 0000000..6032db0 --- /dev/null +++ b/debian/scripts/decrypt_keyctl @@ -0,0 +1,55 @@ +#!/bin/sh +# decrypt_keyctl - to use in /etc/crypttab as keyscript +# Allows to cache passwords for cryptdevices for 60s +# The same password is used for for cryptdevices with the same identifier. +# The keyfile parameter, which is the third field from /etc/crypttab, is +# used as identifier in this keyscript. +# +# sample crypttab entries: +# test1 /dev/sda1 test_pw luks,keyscript=decrypt_keyctl +# test2 /dev/sda2 test_pw luks,keyscript=decrypt_keyctl +# test3 /dev/sda3 test_other_pw luks,keyscript=decrypt_keyctl +# +# test1 and test2 have the same identifier thus test2 does not need a password +# typed in manually + +die() +{ + echo "$@" >&2 + exit 1 +} + +if [ -z "${CRYPTTAB_KEY:-}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then + # store the passphrase in the key name used by systemd-ask-password + ID_="cryptsetup" +else + # the keyfile given from crypttab is used as identifier in the keyring + # including the prefix "cryptsetup:" + ID_="cryptsetup:$CRYPTTAB_KEY" +fi +TIMEOUT_='60' +ASKPASS_='/lib/cryptsetup/askpass' +PROMPT_="Caching passphrase for ${CRYPTTAB_NAME}: " + + +if ! KID_="$(keyctl search @u user "$ID_" 2>/dev/null)" || \ + [ -z "$KID_" ] || [ "$CRYPTTAB_TRIED" -gt 0 ]; then + # key not found or wrong, ask the user + KEY_="$($ASKPASS_ "$PROMPT_")" || die "Error executing $ASKPASS_" + if [ -n "$KID_" ]; then + # I have cached wrong password and now i may use either `keyctl update` + # to update $KID_ or just unlink old key, and add new. With `update` i + # may hit "Key has expired", though. So i'll go "unlink and add" way. + keyctl unlink "$KID_" @u + KID_="" + fi + KID_="$(printf "%s" "$KEY_" | keyctl padd user "$ID_" @u)" + [ -n "$KID_" ] || die "Error adding passphrase to kernel keyring" + if ! keyctl timeout "$KID_" "$TIMEOUT_"; then + keyctl unlink "$KID_" @u + die "Error setting timeout on key ($KID_), removing" + fi +else + echo "Using cached passphrase for ${CRYPTTAB_NAME}." >&2 +fi +keyctl pipe "$KID_" |