diff --git a/misc/dracut_90reencrypt/README b/misc/dracut_90reencrypt/README new file mode 100644 index 00000000..9623be4a --- /dev/null +++ b/misc/dracut_90reencrypt/README @@ -0,0 +1,23 @@ +Example of simple dracut module for reencryption of system +LUKS drive on-the-fly. + +Install in /usr/share/dracut/modules.d/90reencrypt, then +rebuild intramfs "with dracut -f -a reencrypt" + +Dracut then recognize argument rd_REENCRYPT=name:size, +e.g. rd_REENCRYPT=sda2:52G means only 52G of device +will be reencrypted (default is whole device). +(Name is kernel name of device.) + +Note that reencryption context is stored in ramdisk, any +fail can mean complete lost of data! + +Copyright (C) 2012 Milan Broz + +This copyrighted material is made available to anyone wishing to use, +modify, copy, or redistribute it subject to the terms and conditions +of the GNU General Public License v.2. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software Foundation, +Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. diff --git a/misc/dracut_90reencrypt/check b/misc/dracut_90reencrypt/check new file mode 100755 index 00000000..53010b3f --- /dev/null +++ b/misc/dracut_90reencrypt/check @@ -0,0 +1,5 @@ +#!/bin/bash + +which cryptsetup-reencrypt >/dev/null 2>&1 || exit 1 + +exit 0 diff --git a/misc/dracut_90reencrypt/install b/misc/dracut_90reencrypt/install new file mode 100755 index 00000000..6e0523b2 --- /dev/null +++ b/misc/dracut_90reencrypt/install @@ -0,0 +1,6 @@ +#!/bin/bash + +inst cryptsetup-reencrypt + +inst_hook cmdline 30 "$moddir/parse-reencrypt.sh" +inst "$moddir"/reencrypt.sh /sbin/reencrypt diff --git a/misc/dracut_90reencrypt/parse-reencrypt.sh b/misc/dracut_90reencrypt/parse-reencrypt.sh new file mode 100755 index 00000000..35b66651 --- /dev/null +++ b/misc/dracut_90reencrypt/parse-reencrypt.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +REENC=$(getargs rd_REENCRYPT=) +REENC_DEV=$(echo $REENC | sed 's/:.*//') +REENC_SIZE=$(echo $REENC | sed -n 's/.*://p') + +if [ -n "$REENC_DEV" ] ; then +{ + printf 'SUBSYSTEM!="block", GOTO="reenc_end"\n' + printf 'ACTION!="add|change", GOTO="reenc_end"\n' + printf 'KERNEL!="%s", GOTO="reenc_end"\n' $REENC_DEV + printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \ + --unique --onetime --name crypt-reencrypt-%%k \ + /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_SIZE" + printf 'LABEL="reenc_end"\n' +} > /etc/udev/rules.d/69-reencryption.rules +fi diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh new file mode 100755 index 00000000..d200a85d --- /dev/null +++ b/misc/dracut_90reencrypt/reencrypt.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +[ -d /sys/module/dm_crypt ] || modprobe dm_crypt + +[ -f /tmp/reencrypted ] && exit 0 + +. /lib/dracut-lib.sh + +# if device name is /dev/dm-X, convert to /dev/mapper/name +if [ "${1##/dev/dm-}" != "$1" ]; then + device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")" +else + device="$1" +fi + +PARAMS="$device -T 1 --use-fsync -B 32" +if [ -n "$2" ]; then + PARAMS="$PARAMS --device-size $2" +fi + +info "REENCRYPT $device requested" +# flock against other interactive activities +{ flock -s 9; + CURR=$(pwd) + cd /tmp + /bin/plymouth ask-for-password --prompt "LUKS password for REENCRYPTING $device" \ + --command="/sbin/cryptsetup-reencrypt $PARAMS" + cd $CURR +} 9>/.console.lock + +# do not ask again +>> /tmp/reencrypted + +exit 0