summaryrefslogtreecommitdiffstats
path: root/debian/scripts/decrypt_keyctl
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 17:44:13 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 17:44:13 +0000
commit1103cc2d299a0f29631f9f5322d93efcca8098c7 (patch)
tree656763a55c9de10b1de70761e3d0b8d44056af1d /debian/scripts/decrypt_keyctl
parentAdding upstream version 2:2.3.7. (diff)
downloadcryptsetup-1103cc2d299a0f29631f9f5322d93efcca8098c7.tar.xz
cryptsetup-1103cc2d299a0f29631f9f5322d93efcca8098c7.zip
Adding debian version 2:2.3.7-1+deb11u1.debian/2%2.3.7-1+deb11u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/scripts/decrypt_keyctl')
-rw-r--r--debian/scripts/decrypt_keyctl55
1 files changed, 55 insertions, 0 deletions
diff --git a/debian/scripts/decrypt_keyctl b/debian/scripts/decrypt_keyctl
new file mode 100644
index 0000000..6032db0
--- /dev/null
+++ b/debian/scripts/decrypt_keyctl
@@ -0,0 +1,55 @@
+#!/bin/sh
+# decrypt_keyctl - to use in /etc/crypttab as keyscript
+# Allows to cache passwords for cryptdevices for 60s
+# The same password is used for for cryptdevices with the same identifier.
+# The keyfile parameter, which is the third field from /etc/crypttab, is
+# used as identifier in this keyscript.
+#
+# sample crypttab entries:
+# test1 /dev/sda1 test_pw luks,keyscript=decrypt_keyctl
+# test2 /dev/sda2 test_pw luks,keyscript=decrypt_keyctl
+# test3 /dev/sda3 test_other_pw luks,keyscript=decrypt_keyctl
+#
+# test1 and test2 have the same identifier thus test2 does not need a password
+# typed in manually
+
+die()
+{
+ echo "$@" >&2
+ exit 1
+}
+
+if [ -z "${CRYPTTAB_KEY:-}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
+ # store the passphrase in the key name used by systemd-ask-password
+ ID_="cryptsetup"
+else
+ # the keyfile given from crypttab is used as identifier in the keyring
+ # including the prefix "cryptsetup:"
+ ID_="cryptsetup:$CRYPTTAB_KEY"
+fi
+TIMEOUT_='60'
+ASKPASS_='/lib/cryptsetup/askpass'
+PROMPT_="Caching passphrase for ${CRYPTTAB_NAME}: "
+
+
+if ! KID_="$(keyctl search @u user "$ID_" 2>/dev/null)" || \
+ [ -z "$KID_" ] || [ "$CRYPTTAB_TRIED" -gt 0 ]; then
+ # key not found or wrong, ask the user
+ KEY_="$($ASKPASS_ "$PROMPT_")" || die "Error executing $ASKPASS_"
+ if [ -n "$KID_" ]; then
+ # I have cached wrong password and now i may use either `keyctl update`
+ # to update $KID_ or just unlink old key, and add new. With `update` i
+ # may hit "Key has expired", though. So i'll go "unlink and add" way.
+ keyctl unlink "$KID_" @u
+ KID_=""
+ fi
+ KID_="$(printf "%s" "$KEY_" | keyctl padd user "$ID_" @u)"
+ [ -n "$KID_" ] || die "Error adding passphrase to kernel keyring"
+ if ! keyctl timeout "$KID_" "$TIMEOUT_"; then
+ keyctl unlink "$KID_" @u
+ die "Error setting timeout on key ($KID_), removing"
+ fi
+else
+ echo "Using cached passphrase for ${CRYPTTAB_NAME}." >&2
+fi
+keyctl pipe "$KID_"