cryptsetup/misc/dracut_90reencrypt/reencrypt.sh

#!/bin/sh
#
# $1=$device [$2=keyfile|none [$3=keyslot|any [$4=size]]]
#

[ -d /sys/module/dm_crypt ] || modprobe dm_crypt

[ -d /sys/module/loop ] || modprobe loop

[ -f /tmp/reencrypted ] && exit 0

. /lib/dracut-lib.sh

# if device name is /dev/dm-X, convert to /dev/mapper/name
if [ "${1##/dev/dm-}" != "$1" ]; then
    device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
else
    device="$1"
fi

PARAMS="$device -T 1 --use-fsync -B 32"
if [ "$3" != "any" ]; then
    PARAMS="$PARAMS -S $3"
fi

if [ -n "$4" ]; then
    PARAMS="$PARAMS --device-size $4"
fi

reenc_readkey() {
    local keypath="${1#*:}"
    local keydev="${1%%:*}"

    local mntp="/tmp/reencrypted-mount-tmp"
    mkdir "$mntp"
    mount -r "$keydev" "$mntp" && cat "$mntp/$keypath"
    umount "$mntp"
    rm -r "$mntp"
}

reenc_run() {
    local cwd
    cwd=$(pwd)
    local _prompt="LUKS password for REENCRYPTING $device"
    cd /tmp
    udevadm settle
    if [ "$1" = "none" ] ; then
	if [ "$2" != "any" ]; then
		_prompt="$_prompt, using keyslot $2"
	fi
        /bin/plymouth ask-for-password \
        --prompt "$_prompt" \
        --command="/sbin/cryptsetup-reencrypt $PARAMS"
    else
        info "REENCRYPT using key $1"
        reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS
    fi
    _ret=$?
    cd $cwd
}

info "REENCRYPT $device requested"
# flock against other interactive activities
{ flock -s 9;
    reenc_run $2 $3
} 9>/.console_lock

if [ $_ret -eq 0 ]; then
    # do not ask again
    >> /tmp/reencrypted
    warn "Reencryption of device $device has finished successfully. Use previous"
    warn "initramfs image (without reencrypt module) to boot the system. When"
    warn "you leave the emergency shell, the system will reboot."

    emergency_shell -n "(reboot)"
    [ -x /usr/bin/systemctl ] && /usr/bin/systemctl reboot
    [ -x /sbin/shutdown ] && /sbin/shutdown -r now
fi

# panic the kernel otherwise
exit 1