diff options
Diffstat (limited to '')
-rw-r--r-- | debian/initramfs/hooks/cryptgnupg | 45 | ||||
-rw-r--r-- | debian/initramfs/hooks/cryptgnupg-sc | 77 |
2 files changed, 122 insertions, 0 deletions
diff --git a/debian/initramfs/hooks/cryptgnupg b/debian/initramfs/hooks/cryptgnupg new file mode 100644 index 0000000..cffefdb --- /dev/null +++ b/debian/initramfs/hooks/cryptgnupg @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /lib/cryptsetup/functions + +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg" ] || [ ! -f "$TABFILE" ]; then + exit 0 +fi + +# Hooks for loading gnupg software and symmetrically encrypted key into +# the initramfs +copy_keys() { + crypttab_parse_options + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg" ]; then + if [ -f "$CRYPTTAB_KEY" ]; then + [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$? + else + cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + RV=1 + fi + fi +} + +RV=0 +crypttab_foreach_entry copy_keys + +# Install gnupg software +copy_exec /usr/bin/gpg +exit $RV diff --git a/debian/initramfs/hooks/cryptgnupg-sc b/debian/initramfs/hooks/cryptgnupg-sc new file mode 100644 index 0000000..752474a --- /dev/null +++ b/debian/initramfs/hooks/cryptgnupg-sc @@ -0,0 +1,77 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /lib/cryptsetup/functions + +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg-sc" ] || [ ! -f "$TABFILE" ]; then + exit 0 +fi + +# Hooks for loading gnupg software and encrypted key into the initramfs +copy_keys() { + crypttab_parse_options + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg-sc" ]; then + if [ -f "$CRYPTTAB_KEY" ]; then + [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$? + else + cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + RV=1 + fi + fi +} + +RV=0 +crypttab_foreach_entry copy_keys + +PUBRING="/etc/cryptsetup-initramfs/pubring.gpg" +if [ ! -f "$PUBRING" ]; then + cryptsetup_message "WARNING: $PUBRING: No such file" +else + [ -d "$DESTDIR/cryptroot/gnupghome" ] || mkdir -pm0700 "$DESTDIR/cryptroot/gnupghome" + # let gpg(1) create the keyring on the fly; we're not relying on its + # internals since it's the very same binary we're copying to the + # initramfs + /usr/bin/gpg --no-options --no-autostart --trust-model=always \ + --quiet --batch --no-tty --logger-file=/dev/null \ + --homedir="$DESTDIR/cryptroot/gnupghome" --import <"$PUBRING" + # make sure not to clutter the initramfs with backup keyrings + find "$DESTDIR/cryptroot" -name "*~" -type f -delete +fi + +copy_exec /usr/bin/gpg +copy_exec /usr/bin/gpg-agent +copy_exec /usr/lib/gnupg/scdaemon +copy_exec /usr/bin/gpgconf +copy_exec /usr/bin/gpg-connect-agent + +if [ ! -x "$DESTDIR/usr/bin/pinentry" ]; then + if [ -x "/usr/bin/pinentry-curses" ]; then + pinentry="/usr/bin/pinentry-curses" + elif [ -x "/usr/bin/pinentry-tty" ]; then + pinentry="/usr/bin/pinentry-tty" + else + cryptsetup_message "ERROR: missing required binary pinentry-curses or pinentry-tty" + RV=1 + fi + copy_exec "$pinentry" + ln -s "$pinentry" "$DESTDIR/usr/bin/pinentry" +fi +[ -f "$DESTDIR/lib/terminfo/l/linux" ] || copy_file terminfo /lib/terminfo/l/linux || RV=$? + +exit $RV |