Add example of dracut module for reencryption.

misc/dracut_90reencrypt/README

@@ -0,0 +1,23 @@
+Example of simple dracut module for reencryption of system
+LUKS drive on-the-fly.
+
+Install in /usr/share/dracut/modules.d/90reencrypt, then
+rebuild intramfs "with dracut -f -a reencrypt"
+
+Dracut then recognize argument rd_REENCRYPT=name:size,
+e.g. rd_REENCRYPT=sda2:52G means only 52G of device
+will be reencrypted (default is whole device).
+(Name is kernel name of device.)
+
+Note that reencryption context is stored in ramdisk, any
+fail can mean complete lost of data!
+
+Copyright (C) 2012 Milan Broz <asi@ucw.cz>
+
+This copyrighted material is made available to anyone wishing to use,
+modify, copy, or redistribute it subject to the terms and conditions
+of the GNU General Public License v.2.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software Foundation,
+Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

misc/dracut_90reencrypt/check

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+which cryptsetup-reencrypt >/dev/null 2>&1 || exit 1
+
+exit 0

misc/dracut_90reencrypt/install

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+inst cryptsetup-reencrypt
+
+inst_hook cmdline 30 "$moddir/parse-reencrypt.sh"
+inst "$moddir"/reencrypt.sh /sbin/reencrypt

misc/dracut_90reencrypt/parse-reencrypt.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+REENC=$(getargs rd_REENCRYPT=)
+REENC_DEV=$(echo $REENC | sed 's/:.*//')
+REENC_SIZE=$(echo $REENC | sed -n 's/.*://p')
+
+if [ -n "$REENC_DEV" ] ; then
+{
+   printf 'SUBSYSTEM!="block", GOTO="reenc_end"\n'
+   printf 'ACTION!="add|change", GOTO="reenc_end"\n'
+   printf 'KERNEL!="%s", GOTO="reenc_end"\n' $REENC_DEV
+   printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \
+           --unique --onetime --name crypt-reencrypt-%%k \
+           /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_SIZE"
+   printf 'LABEL="reenc_end"\n'
+} > /etc/udev/rules.d/69-reencryption.rules
+fi

misc/dracut_90reencrypt/reencrypt.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
+
+[ -f /tmp/reencrypted ] && exit 0
+
+. /lib/dracut-lib.sh
+
+# if device name is /dev/dm-X, convert to /dev/mapper/name
+if [ "${1##/dev/dm-}" != "$1" ]; then
+    device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
+else
+    device="$1"
+fi
+
+PARAMS="$device -T 1 --use-fsync -B 32"
+if [ -n "$2" ]; then
+    PARAMS="$PARAMS --device-size $2"
+fi
+
+info "REENCRYPT $device requested"
+# flock against other interactive activities
+{ flock -s 9;
+    CURR=$(pwd)
+    cd /tmp
+    /bin/plymouth ask-for-password --prompt "LUKS password for REENCRYPTING $device" \
+      --command="/sbin/cryptsetup-reencrypt $PARAMS"
+    cd $CURR
+} 9>/.console.lock
+
+# do not ask again
+>> /tmp/reencrypted
+
+exit 0