diff options
Diffstat (limited to 'debian/scripts/decrypt_derived')
| -rw-r--r-- | debian/scripts/decrypt_derived | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/debian/scripts/decrypt_derived b/debian/scripts/decrypt_derived new file mode 100644 index 0000000..0e1e418 --- /dev/null +++ b/debian/scripts/decrypt_derived @@ -0,0 +1,32 @@ +#!/bin/sh + +# WARNING: If you use the decrypt_derived keyscript for devices with +# persistent data (i.e. not swap or temp devices), then you will lose +# access to that data permanently if something damages the LUKS header +# of the LUKS device you derive from. The same applies if you luksFormat +# the device, even if you use the same passphrase(s). A LUKS header +# backup, or better a backup of the data on the derived device may be +# a good idea. See the Cryptsetup FAQ on how to do this right. + +if [ -z "$1" ]; then + echo "$0: must be executed with a crypto device as argument" >&2 + exit 1 +fi + +unset -v keys count +keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null | cut -s -d' ' -f5)" +count="$(printf '%s' "$keys" | wc -l)" + +if [ -n "$keys" ] && [ $count -le 1 ]; then + if [ "${keys#:}" = "$keys" ]; then + printf '%s' "$keys" + exit 0 + else + echo "$0: device $1 uses the kernel keyring" >&2 + fi +elif [ $count -eq 0 ]; then + echo "$0: device $1 doesn't exist or isn't a crypto device" >&2 +else + echo "$0: more than one device match" >&2 +fi +exit 1 |