Add key option to dracut example.

2025-12-13 03:40:05 +01:00 · 2012-07-12 19:21:22 +02:00
parent 8b8e206c07
commit 53e269c5f1
2 changed files with 37 additions and 8 deletions
--- a/misc/dracut_90reencrypt/parse-reencrypt.sh
+++ b/misc/dracut_90reencrypt/parse-reencrypt.sh
@@ -4,6 +4,11 @@ REENC=$(getargs rd_REENCRYPT=)
 REENC_DEV=$(echo $REENC | sed 's/:.*//')
 REENC_SIZE=$(echo $REENC | sed -n 's/.*://p')

+REENC_KEY=$(getargs rd_REENCRYPT_KEY=)
+if [ -z "$REENC_KEY" ] ; then
+    REENC_KEY=none
+fi
+
 if [ -n "$REENC_DEV" ] ; then
 {
   printf 'SUBSYSTEM!="block", GOTO="reenc_end"\n'
@@ -11,7 +16,7 @@ if [ -n "$REENC_DEV" ] ; then
   printf 'KERNEL!="%s", GOTO="reenc_end"\n' $REENC_DEV
   printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \
           --unique --onetime --name crypt-reencrypt-%%k \
-           /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_SIZE"
+           /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_KEY $REENC_SIZE"
   printf 'LABEL="reenc_end"\n'
 } > /etc/udev/rules.d/69-reencryption.rules
 fi
--- a/misc/dracut_90reencrypt/reencrypt.sh
+++ b/misc/dracut_90reencrypt/reencrypt.sh
@@ -1,4 +1,7 @@
 #!/bin/sh
+#
+# $1=$device [$2=keyfile|none [$3=size]]
+#

 [ -d /sys/module/dm_crypt ] || modprobe dm_crypt

@@ -14,18 +17,39 @@ else
 fi

 PARAMS="$device -T 1 --use-fsync -B 32"
-if [ -n "$2" ]; then
-    PARAMS="$PARAMS --device-size $2"
+if [ -n "$3" ]; then
+    PARAMS="$PARAMS --device-size $3"
 fi

+reenc_readkey() {
+    local keypath="${1#*:}"
+    local keydev="${1%%:*}"
+
+    local mntp=$(mkuniqdir /mnt keydev)
+    mount -r "$keydev" "$mntp" || return
+    cat "$mntp/$keypath"
+    umount "$mntp"
+    rmdir "$mntp"
+}
+
+reenc_run() {
+    local cwd=$(pwd)
+    cd /tmp
+    if [ "$1" = "none" ] ; then
+        /bin/plymouth ask-for-password \
+        --prompt "LUKS password for REENCRYPTING $device" \
+        --command="/sbin/cryptsetup-reencrypt $PARAMS"
+    else
+        info "REENCRYPT using key $1"
+        reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS
+    fi
+    cd $cwd
+}
+
 info "REENCRYPT $device requested"
 # flock against other interactive activities
 { flock -s 9;
-    CURR=$(pwd)
-    cd /tmp
-    /bin/plymouth ask-for-password --prompt "LUKS password for REENCRYPTING $device" \
-      --command="/sbin/cryptsetup-reencrypt $PARAMS"
-    cd $CURR
+    reenc_run $2
 } 9>/.console.lock

 # do not ask again