summaryrefslogtreecommitdiffstats
path: root/debian/initramfs/hooks/cryptgnupg
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/initramfs/hooks/cryptgnupg45
-rw-r--r--debian/initramfs/hooks/cryptgnupg-sc77
2 files changed, 122 insertions, 0 deletions
diff --git a/debian/initramfs/hooks/cryptgnupg b/debian/initramfs/hooks/cryptgnupg
new file mode 100644
index 0000000..cffefdb
--- /dev/null
+++ b/debian/initramfs/hooks/cryptgnupg
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case "$1" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /lib/cryptsetup/functions
+
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg" ] || [ ! -f "$TABFILE" ]; then
+ exit 0
+fi
+
+# Hooks for loading gnupg software and symmetrically encrypted key into
+# the initramfs
+copy_keys() {
+ crypttab_parse_options
+ if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg" ]; then
+ if [ -f "$CRYPTTAB_KEY" ]; then
+ [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
+ else
+ cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+ RV=1
+ fi
+ fi
+}
+
+RV=0
+crypttab_foreach_entry copy_keys
+
+# Install gnupg software
+copy_exec /usr/bin/gpg
+exit $RV
diff --git a/debian/initramfs/hooks/cryptgnupg-sc b/debian/initramfs/hooks/cryptgnupg-sc
new file mode 100644
index 0000000..752474a
--- /dev/null
+++ b/debian/initramfs/hooks/cryptgnupg-sc
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case "$1" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /lib/cryptsetup/functions
+
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg-sc" ] || [ ! -f "$TABFILE" ]; then
+ exit 0
+fi
+
+# Hooks for loading gnupg software and encrypted key into the initramfs
+copy_keys() {
+ crypttab_parse_options
+ if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg-sc" ]; then
+ if [ -f "$CRYPTTAB_KEY" ]; then
+ [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
+ else
+ cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+ RV=1
+ fi
+ fi
+}
+
+RV=0
+crypttab_foreach_entry copy_keys
+
+PUBRING="/etc/cryptsetup-initramfs/pubring.gpg"
+if [ ! -f "$PUBRING" ]; then
+ cryptsetup_message "WARNING: $PUBRING: No such file"
+else
+ [ -d "$DESTDIR/cryptroot/gnupghome" ] || mkdir -pm0700 "$DESTDIR/cryptroot/gnupghome"
+ # let gpg(1) create the keyring on the fly; we're not relying on its
+ # internals since it's the very same binary we're copying to the
+ # initramfs
+ /usr/bin/gpg --no-options --no-autostart --trust-model=always \
+ --quiet --batch --no-tty --logger-file=/dev/null \
+ --homedir="$DESTDIR/cryptroot/gnupghome" --import <"$PUBRING"
+ # make sure not to clutter the initramfs with backup keyrings
+ find "$DESTDIR/cryptroot" -name "*~" -type f -delete
+fi
+
+copy_exec /usr/bin/gpg
+copy_exec /usr/bin/gpg-agent
+copy_exec /usr/lib/gnupg/scdaemon
+copy_exec /usr/bin/gpgconf
+copy_exec /usr/bin/gpg-connect-agent
+
+if [ ! -x "$DESTDIR/usr/bin/pinentry" ]; then
+ if [ -x "/usr/bin/pinentry-curses" ]; then
+ pinentry="/usr/bin/pinentry-curses"
+ elif [ -x "/usr/bin/pinentry-tty" ]; then
+ pinentry="/usr/bin/pinentry-tty"
+ else
+ cryptsetup_message "ERROR: missing required binary pinentry-curses or pinentry-tty"
+ RV=1
+ fi
+ copy_exec "$pinentry"
+ ln -s "$pinentry" "$DESTDIR/usr/bin/pinentry"
+fi
+[ -f "$DESTDIR/lib/terminfo/l/linux" ] || copy_file terminfo /lib/terminfo/l/linux || RV=$?
+
+exit $RV