commit b9d97a76f0e65215972d8988c413e6cba2fd439c Author: Christoph Date: Mon Feb 2 00:45:17 2026 +0100 Initial commit diff --git a/README.debian13 b/README.debian13 new file mode 100644 index 0000000..b5b3f1d --- /dev/null +++ b/README.debian13 @@ -0,0 +1,68 @@ +# --------------------------------------------------------------------------------------- +# +# Early decrypt partition using systemd-cryptsetup - after upgrade Debian 12 -> Debia 13 +# +# --------------------------------------------------------------------------------------- + +RAW_PARTITION=/dev/md5 +CRYPT_PARTITION=data +KEY_FILE=/etc/cryptsetup-keys.d/data.key + +# 1) cryptsetup-initramfs entfernen +# ================================= +# +# (cryptsetup selbst bleibt installiert!) +# +apt purge cryptsetup-initramfs + + +# update-initramfs -u -k all sollte nun durchlaufen +# +update-initramfs -u -k all + + +# 2) Sicherstellen, dass systemd die crypttab Einträge überhaupt verarbeitet +# =========================================================================== +# +# In Debian wurde systemd-cryptsetup als eigenes Paket aufgeteilt; wenn das fehlt, +# werden nicht-root LUKS-Volumes aus /etc/crypttab u.U. nicht automatisch geöffnet. +# +# Also: +# +# apt install systemd-cryptsetup +# +apt install systemd-cryptsetup + + +# 3) /etc/crypttab anpassen (kein initramfs mehr) +# =============================================== +# +# data UUID=a7e3afb8-f257-4e99-b37a-fdc579ec9e96 /etc/cryptsetup-keys.d/data.key luks,nofail +# +cat <> /etc/crypttab + +# +${CRYPT_PARTITION} UUID=a$(blkid -s UUID -o value ${RAW_PARTITION}) ${KEY_FILE} luks,nofail + +EOF + + +# 4) /etc/fstab +# ============= +# +# /dev/mapper/data /data ext4 defaults,nofail,x-systemd.device-timeout=30 0 2 +# +cat <> /etc/fstab + +# /dev/mapper/${CRYPT_PARTITION} (LUKS device ${RAW_PARTITION}) +/dev/mapper/${CRYPT_PARTITION} /data ext4 efaults,nofail,x-systemd.device-timeout=30 0 2 +EOF + +systemctl daemon-reload + + +# 5) RAID (md5) muss beim Boot assembliert werden +# +apt install --reinstall mdadm +update-initramfs -u -k all + diff --git a/create_crypted_disk.sh b/create_crypted_disk.sh new file mode 100755 index 0000000..fa907de --- /dev/null +++ b/create_crypted_disk.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash + +_BACKUP_DEVICE_NAME=backup +_LABEL=BACKUP_OPP_03 +_KEY_FILE=/crypt/home/.keys/zapata.key + +echo "" + +# - Encrypt Disk with given keyfile +# - +echo "" +echo "Encrypt Disk with given keyfile" +cryptsetup luksFormat /dev/sde1 $_KEY_FILE + +# - Add Key with Passphrase +# - +echo "" +echo "Add Key (Passphrase) using existent key (keyfile: $_KEY_FILE)" +cryptsetup luksAddKey -d $_KEY_FILE /dev/sde1 + +# - Open encrypted device +# - +echo "" +echo "Open encrypted device" +cryptsetup luksOpen /dev/sde1 $_BACKUP_DEVICE_NAME --key-file $_KEY_FILE + +# - Create Filesystem on crypted device +# - +echo "" +echo "Create ext4 Filesystem on crypted device \"$_BACKUP_DEVICE_NAME\"" +mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/$_BACKUP_DEVICE_NAME + +echo "" +echo "Simple sync.." +sync + +# - Label crypted device +# - +echo "" +echo "Label crypted device \"$_BACKUP_DEVICE_NAME\". Label: $_LABEL" +tune2fs -L $_LABEL /dev/mapper/$_BACKUP_DEVICE_NAME + +# - Set maximal mount count on crypted device +# - +echo "" +echo "Set maximal mount count on crypted device" +tune2fs -c 21 /dev/mapper/$_BACKUP_DEVICE_NAME + +# - List settings of crypted device +# - +echo "" +echo "List settings of crypted device \"_BACKUP_DEVICE_NAME\"" +tune2fs -l /dev/mapper/$_BACKUP_DEVICE_NAME + +# - Close crypted device +# - +echo "" +echo "Close crypted device \"$_BACKUP_DEVICE_NAME\"" +cryptsetup luksClose $_BACKUP_DEVICE_NAME + +echo "" +exit 0 diff --git a/cryptodevice.txt b/cryptodevice.txt new file mode 100644 index 0000000..0550ca6 --- /dev/null +++ b/cryptodevice.txt @@ -0,0 +1,203 @@ +## - urls +## - +http://wiki.ubuntuusers.de/System_verschl%C3%BCsseln +http://de.gentoo-wiki.com/DM-Crypt + +## --------------------------------------------------------- ## +## - In welchem Slot befindet sich der Key mit Passwort... - ## +## --------------------------------------------------------- ## + +# - bsp.: cryptsetup --verbose open --test-passphrase /dev/sda5 +# - +cryptsetup --verbose open --test-passphrase + + +## ------------------------------------------------------------- # +## - - # +## - cryptodevice einrichten - # +## - - # +## ------------------------------------------------------------- # + +## -------------------------- ## +## - Cryptodevice erstellen - ## +## -------------------------- ## +## - +cryptsetup luksFormat +## - oder +cryptsetup -c aes-lrw-benbi -y -s 384 luksFormat +# +#cryptsetup -c aes-xts-plain -y -s 512 luksFormat +cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 -y + +## - cryptodevice erstellen mit password im keyfile +## - +## - keyfile (1024 bit groß) erstellen +head -c1024 /dev/urandom > +## - crytodevice erstellen +cryptsetup -c aes-lrw-benbi -s 384 luksFormat +# - oder (etwas neuer) +#cryptsetup -c aes-xts-plain -s 512 luksFormat +cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat + +## - cryptodevice mit einem abgeleiteten Schlüssel eines bestehenden LUKS +## - device erstellen +## - +## - /lib/cryptsetup/scripts/decrypt_derived | cryptsetup -c aes-xts-plain -s 512 luksFormat +## - wobei mit ist im Folgenden der Mapper-Name +## - gemeint ist, der unter /dev/mapper/ angezeigt wird - z.Bsp. root +## - +/lib/cryptsetup/scripts/decrypt_derived root | cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sda3 + + + + + +## ------------------------ ## +## - Cryptodevice oeffnen - ## +## ------------------------ ## +## - +cryptsetup luksOpen +## - bzw. mit keyfileangabe +cryptsetup luksOpen --key-file + +## - dateisystem erstellen +## - +## - Die "-m" Option reserviert soviel Prozent (hier: 0 Prozent) des Speichers +## - für den Superuser. Vergisst man die Option anzugeben, werden standardmäßig 5% +## - des Speicherplatzers für den Superuser reserviert. +## - +#mkfs.ext4 -m0 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/ +mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/ + +## - neue crytopartition mounten +## - +mount /dev/mapper/ + +## - öffnen eines mit einem abgeleiteten Schlüssel erstellten +## - LUKS Devices +## - +## - /lib/cryptsetup/scripts/decrypt_derived | cryptsetup luksOpen +/lib/cryptsetup/scripts/decrypt_derived root | cryptsetup luksOpen /dev/sda3 data + + +## ----------------- ## +## - /etc/crypttab - ## +## ----------------- ## +## - +## - Paswortgeschütztes Device +# UUID= none +root UUID=9d323be6-7aad-4813-a0d2-8db4947c48d9 none luks +## - +## - Keyfile gechütztes Device +# UUID= UUID= luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived +data UUID=5f106e59-829f-4186-95b7-a0c84bb0adbd root luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived + +## - Hinweis! +## - die UUID eines Gerätedevice kann mittels "blkid" ermittelt werden +## - +blkid /dev/sda2 + +## - Neuere Versionen von cryptsetup können die UUID auch selbst ermitteln: +## - +cryptsetup luksUUID /dev/sdxY + + + +## - Luks ermöglicht, mit verschiedenen Schlüsseln auf die +## - Partition zuzugreifen. Folgender Befehl fügst einen +## - weiteren hinzu: +## - ein passwort hinzufügen +## - +cryptsetup luksAddKey /dev/$DEVICE +## - +## - ein passwort hinzufügen falls eine schlüsseldatei benutzt wird +## - +cryptsetup luksAddKey -d /pfad/zur/datei /dev/$DEVICE +## - +## - ein passwort hinzufügen falls eine abgeleiteter Schlüssel benutzt wird +## - +mkdir /mnt/ram && mount -t ramfs -o size=1m ramfs /mnt/ram && chmod 600 /mnt/ram +/lib/cryptsetup/scripts/decrypt_derived > /mnt/ram/tmp.key +cryptsetup luksAddKey -d /mnt/ram/tmp.key /dev/$DEVICE +umount /mnt/ram && rmdir /mnt/ram +## - +## - einen abgeleiteten Schlüssel hinzufügen, falls ein Passwort benutzt wurde +## - +mkdir /mnt/ram && mount -t ramfs -o size=1m ramfs /mnt/ram && chmod 600 /mnt/ram +/lib/cryptsetup/scripts/decrypt_derived > /mnt/ram/tmp.key +cryptsetup luksAddKey /dev/$DEVICE /mnt/ram/tmp.key +umount /mnt/ram && rmdir /mnt/ram +## - +## - eine Schlüsseldatei hinzufügen +## - +cryptsetup luksAddKey /dev/$DEVICE +## - +## - eine Schlüsseldatei hinzufügen falls eine schlüsseldatei benutzt wird +## - +cryptsetup luksAddKey -d /pfad/zur/datei /dev/$DEVICE + + +## - Analog dazu kann mit luksKillSlot ein Schlüssel wieder entfernen. +## - +cryptsetup luksKillSlot + + + +## - Täglicher Gebrauch +## - ================== + + * Trage deine Cryptopartition in /etc/crypttab ein, bspw: + + # + $CRYPTODEVICE /dev/$DEVICE none luks,check=ext2,retry=5 + # oder + none luks,retry=1,cipher=aes-lrw-benbi + luks,cipher=aes-lrw-benbi + + * Trage in /etc/fstab das Device (/dev/mapper/$CRYPTODEVICE $MOUNT) + mit deinen Dateisystemoptionen ein: + + /dev/mapper/$CRYPTDEVICE $MOUNT auto defaults 0 0 + + * /etc/init.d/cryptdisks kümmert sich nun um die Initialisierung beim Booten. + Bei Falscheingabe, wirst du mehrmals (siehe retry in der /etc/crypttab) + erneut gefragt. Falls es weiterhin fehlschlägt, wird der Bootvorgang + ohne mounten fortgesetzt. + + * Luks ermöglicht es dir, mit verschiedenen Schlüsseln auf die Partition + zuzugreifen. Mit folgendem Befehl fügst du einen weiteren hinzu: + + cryptsetup luksAddKey /dev/$DEVICE + + Dazu musst du das Passwort eines schon vorhandenen Schlüssels eingeben. Analog + dazu kannst du mit luksDelKey ein Schlüssel wieder entfernen. + + + +Paranoia +======== + +Mit dmsetup info lassen sich benutzte devicemappings anzeigen. +Taucht hier ein Teil als ACTIVE auf, so hat jedermensch darauf +Zugriff (auch wenn es nicht gemountet ist, könnte - wer die +nötigen Rechte hat - das Teil ohne passendes Cryptokennwort +mounten) - es ist in diesem Zustand quasi entschlüsselt! + +Deswegen immer nach dem unmounten, das mapping entfernen +(sonst gibt's (erfahrene Beamte vorausgesetzt) evtl. Stress bei +der Hausdurchsuchung): + +umount $MOUNT +cryptsetup luksClose $CRYPTODEVICE + +Du kannst alle mappings gleichzeitig entfernen mit: + +dmsetup remove_all + +! Denk dran: cryptsetup luksClose niemals nicht vergessen oder aber +Stecker ziehen (bzw. den Rechner herunterfahren) ;) ! + diff --git a/mount_crypt b/mount_crypt new file mode 100755 index 0000000..b701ffa --- /dev/null +++ b/mount_crypt @@ -0,0 +1,163 @@ +#!/usr/bin/env bash + +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin + +## - Partition: data +## - +part_name=data +crypt_partition="/dev/mapper/$part_name" +raw_partition=< i.e. /dev/vda3 or /dev/sda3 ..> +mount_point= + +start_samba=false +start_kvm=false +start_mysql=false +start_apache=false +start_vservers=true +vservers="" + + +echo -e "\n\033[1;34m" +/sbin/cryptsetup luksOpen $raw_partition $part_name > /dev/null 2>&1 +echo -e "\033[0m" +if ! df | grep "$crypt_partition" > /dev/null 2>&1 ;then + declare -i mount_count=`tune2fs -l $crypt_partition | grep "Mount count" | cut -d ":" -f 2` + declare -i max_mount_count=`tune2fs -l $crypt_partition | grep "Maximum mount count" | cut -d ":" -f 2` + if [ $max_mount_count -gt 0 ];then + + if [ $mount_count -ge $max_mount_count ]; then + echo "" + echo -e "\tMaximal mount count of $max_mount_count was reached." + echo -e "\tSo a filecheck on \"$crypt_partition\" will be initiated.." + echo -e "\t\033[1;33m\E[5mPlease wait. This may take some time..\033[00m" + echo "" + e2fsck -p $crypt_partition > /dev/null + if [ $? -gt -0 ]; then + echo -e "\n\t[\033[1;31mERROR\033[0m] filecheck on $crypt_partition failed.\n" + fi + tune2fs -C 0 $crypt_partition > /dev/null + fi + + fi +fi + + +if ! df | grep "$crypt_partition" > /dev/null 2>&1 ;then + + echo -n -e "\tMounting crypto-partition \"$part_name\"..\t" + + /bin/mount $crypt_partition $mount_point > /dev/null 2>&1 + + if [ $? -ne 0 ] ; then + echo -e " [\033[40m\033[1;31m failed \033[0m]" + else + echo -e " [\033[1;32m done \033[0m]" + fi +else + + echo -e "\t\033[1;33mPartition \"$part_name\" already mounted..\033[0m" + +fi + + +if $start_vservers ; then + if [ -n "$vservers" ]; then + echo "" + for _vserver in $vservers ; do + echo -n -e "\tStarting VServer \"$_vserver\".." + vserver $_vserver start > /dev/null 2>&1 + if [ $? -ne 0 ] ; then + echo -e "\t [\033[40m\033[1;31m failed \033[0m]" + else + echo -e "\t [\033[1;32m done \033[0m]" + fi + done + echo "" + fi +fi + + +if $start_mysql ; then + if ps ax | grep /usr/sbin/mysqld | grep -v grep > /dev/null 2>&1 || ps ax | grep smbd | grep -v grep > /dev/null 2>&1 ; then + ## - Stopping Mysql.. + ## - + echo -n -e "\n\tStopping MySQL Server..\t\t" + /etc/init.d/mysql stop > /dev/null + + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi + fi + + ## - Starting Mysql.. + ## - + echo -n -e "\n\tStarting MySQL Server..\t\t" + /etc/init.d/mysql start > /dev/null 2>&1 + + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi +fi + + +if $start_apache ; then + if ps ax | grep /usr/sbin/apache2 | grep -v grep > /dev/null 2>&1 || ps ax | grep smbd | grep -v grep > /dev/null 2>&1 ; then + ## - Stopping Apache Webserver.. + ## - + echo -n -e "\n\tStopping Apache Weberver..\t" + /etc/init.d/apache2 stop > /dev/null + + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi + fi + + ## - Starting Apache.. + ## - + echo -n -e "\n\tStarting Apache Webserver..\t" + /etc/init.d/apache2 start > /dev/null 2>&1 + + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi +fi + + +if $start_samba ; then + ## - Starting Samba.. + ## - + if ps ax | grep nmbd | grep -v grep > /dev/null 2>&1 || ps ax | grep smbd | grep -v grep > /dev/null 2>&1 ; then + /etc/init.d/samba stop > /dev/null + killall smbd > /dev/null 2>&1 + killall nmbd > /dev/null 2>&1 + fi + echo -n -e "\n\tStarting Samba Fileserver..\t\t" + /etc/init.d/samba start > /dev/null 2>&1 + + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi +fi + + +if $start_kvm ; then + ## - Starting libvirt-bin (also starts virtual boxes) + ## - + echo -n -e "\n\tStarting libvirt-bin..\t\t\t" + /etc/init.d/libvirt-bin start > /dev/null 2>&1 + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi +fi diff --git a/mount_cryptroot b/mount_cryptroot new file mode 100644 index 0000000..600ae56 --- /dev/null +++ b/mount_cryptroot @@ -0,0 +1,54 @@ +#!/bin/sh + +# This script generates two scripts in the initramfs output, +# /root/mount_cryptroot.sh and /root/.profile + + +ALLOW_SHELL=0 +# Set this to 1 before running update-initramfs if you want +# to allow authorized users to type Ctrl-C to drop to a +# root shell (useful for debugging, potential for abuse.) +# +# (Note that even with ALLOW_SHELL=0 it may still be possible +# to achieve a root shell.) +# + +if [ -z ${DESTDIR} ]; then + exit +fi + +SCRIPT="${DESTDIR}/root/mount_cryptroot.sh" +cat > "${SCRIPT}" << 'EOF' +#!/bin/sh +CMD= +while [ -z "$CMD" -o -z "`pidof askpass plymouth`" ]; do + CMD=`ps -o args | grep cryptsetup | grep -i open | grep -v grep` + sleep 0.1 +done +while [ -n "`pidof askpass plymouth`" ]; do + $CMD && kill -9 `pidof askpass plymouth` && echo "Success" +done +EOF + +chmod +x "${SCRIPT}" + +# Run mount_cryptroot by default and close the login session afterwards +# If ALLOW_SHELL is set to 1, you can press Ctrl-C to get to an interactive prompt +cat > "${DESTDIR}/root/.profile" << EOF +ctrl_c_exit() { + exit 1 +} +ctrl_c_shell() { + # Ctrl-C during .profile appears to mangle terminal settings + reset +} +if [ "$ALLOW_SHELL" == "1" ]; then + echo "Unlocking rootfs... Type Ctrl-C for a shell." + trap ctrl_c_shell INT +else + echo "Unlocking rootfs..." + trap ctrl_c_exit INT +fi +/root/mount_cryptroot.sh && exit 1 || echo "Run ./mount_cryptroot.sh to try unlocking again" +trap INT +EOF diff --git a/remote_decrypt.txt b/remote_decrypt.txt new file mode 100644 index 0000000..97c5acc --- /dev/null +++ b/remote_decrypt.txt @@ -0,0 +1,120 @@ +## - IP definitions in initramfs overwrites /etc/network/interfaces +## - +## - Add the following line to your interface definition +## - +## - pre-up ip addr flush dev eth0 + + + + + +Luks remote decrypt +=================== + +## Install packages busybox and dropbear +## - +## - Notice: +## - If package busybox-static is already installed, tha is sufficient. +## - Install only package dropbear in that case. +## - +#apt-get install dropbear busybox +apt-get install dropbear + + +## - For security reason and if no needed, remove keys from root directory in +## - initramfs (/etc/initramfs-tools/root/.ssh) +## - +rm /etc/initramfs-tools/root/.ssh/id_* + +## - Empty /etc/initramfs-tools/root/.ssh/authorized_keys +## - +> /etc/initramfs-tools/root/.ssh/authorized_keys + +## - Add your public key, you wish to early connect, to authorized_keys file +## - /etc/initramfs-tools/root/.ssh/authorized_keys +## - +vim /etc/initramfs-tools/root/.ssh/authorized_keys + + +## - Create initramfs script for unlocking the key +## - +cat << END > /etc/initramfs-tools/hooks/unlock_cryptkey_via_ssh.sh +#!/bin/sh + +PREREQ="dropbear" + +prereqs() { + echo "\$PREREQ" +} + +case "\$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. "\$CONFDIR/initramfs.conf" +#. /usr/share/initramfs-tools/hook-functions + +if [ "\$DROPBEAR" != "n" ] && [ -r "/etc/crypttab" ] ; then + # fix for dropbear in Ubuntu 12.04 x86_64 + [ -d /lib/x86_64-linux-gnu ] && cp -p /lib/x86_64-linux-gnu/libnss_* "\$DESTDIR/lib/" + + mkdir -m 755 -p "\$DESTDIR/lib/unlock" + +##### /bin/unlock +cat > "\${DESTDIR}/bin/unlock" < "\$DESTDIR/lib/unlock/plymouth" <<-EOF +#!/bin/sh +[ "\\\$1" == "--ping" ] && exit 1 +exec /bin/plymouth "\\\$@" +EOF +##### EOF /lib/unlock/plymouth + + chmod 755 "\$DESTDIR/bin/unlock" + chmod 755 "\$DESTDIR/lib/unlock/plymouth" + + # enable password login + [ -n "\$SSHUSERPASS" ] && + touch "\$DESTDIR/etc/shadow" && chmod 640 "\$DESTDIR/etc/shadow" && + getent shadow "\$SSHUSERPASS" | sed -n "s/^\$SSHUSERPASS:/root:/p" /etc/shadow >> "\$DESTDIR/etc/shadow" + + sed -i'' 's|^\(root:.*\):[^:]*$|\1:/bin/sh|' "\$DESTDIR/etc/passwd" +fi +END + +chmod 755 /etc/initramfs-tools/hooks/unlock_cryptkey_via_ssh.sh + +## - Make changes persistent to initramfs +## - +update-initramfs -u -k all + + +## - Now you can connect to dropbear shell with your added key, for example +## - +## - Connect: +## - ssh -i ~/.ssh/dropbear/id_rsa_initram -o UserKnownHostsFile=.ssh/dropbear/known_hosts root@192.168.63.90 +## - +## - Enter your passphrase: +## - Enter passphrase for key '/home/chris/.ssh/dropbear/id_rsa_initram': ****************** +## - +## - Unlock key, type: +## - unlock +## - +## - Enter pasphrase for cryptodevice +## - Enter passphrase: +## - diff --git a/umount_crypt b/umount_crypt new file mode 100755 index 0000000..fe65803 --- /dev/null +++ b/umount_crypt @@ -0,0 +1,139 @@ +#!/usr/bin/env bash +### BEGIN INIT INFO +# Provides: umount_crypt +# Required-Start: $remote_fs $syslog $network postfix +# Required-Stop: $remote_fs $syslog $network postfix +# Default-Start: +# Default-Stop: 0 1 6 +# Short-Description: Unmounting crypto device(s) +### END INIT INFO + +## --- +## - add with: +## - update-rc.d umount_crypt stop 01 0 1 6 . +## --- + +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin + +## - Partition: data +## - +part_name= +crypt_partition="/dev/mapper/$part_name" +raw_partition=< i.e. /dev/vda3 or /dev/sda3 ..> +mount_point= + +stop_samba=false +stop_kvm=false +stop_mysql=false +stop_apache=false +stop_vservers=true + +if $stop_vservers ; then + if [ -n $vservers ];then + echo "" + vservers=`vserver-stat | grep -E "^[0-9]{2,}" | awk '{print$8}'` + for _vserver in $vservers ; do + echo -n -e "\tStopping VServer \"$_vserver\".." + vserver $_vserver stop > /dev/null 2>&1 + if [ $? -ne 0 ] ; then + echo -e "\t[ \033[1;31mfailed\033[0m ]" + else + echo -e "\t[ \033[1;32mdone\033[0m ]" + fi + done + echo "" + fi +fi + + +if $stop_apache ; then + if ps ax | grep /usr/sbin/apache2 | grep -v grep > /dev/null 2>&1 || ps ax | grep smbd | grep -v grep > /dev/null 2>&1 ; then + ## - Stopping Apache Webserver.. + ## - + echo -n -e "\n\tStopping Apache Weberver..\t" + /etc/init.d/apache2 stop > /dev/null + + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi + fi +fi + + +if $stop_mysql ; then + if ps ax | grep /usr/sbin/mysqld | grep -v grep > /dev/null 2>&1 || ps ax | grep smbd | grep -v grep > /dev/null 2>&1 ; then + ## - Stopping Mysql.. + ## - + echo -n -e "\n\tStopping MySQL Server..\t\t" + /etc/init.d/mysql stop > /dev/null + + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi + fi +fi + + +if $stop_kvm ; then + ## - Stopping KVM's + ## - + echo -n -e "\n\tStopping Virtual Boxes..\t\t" + /etc/init.d/kvm_shutdown_guests stop > /dev/null 2>&1 + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi + + echo -n -e "\n\tStopping libvirt-bin..\t\t\t" + /etc/init.d/libvirt-bin stop > /dev/null 2>&1 + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi +fi + + +if $stop_samba ; then + ## - Stopping Samba-Server + ## - + echo -n -e "\n\tStopping Samba Fileserver..\t\t" + /etc/init.d/samba stop > /dev/null 2>&1 + + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi +fi + + +if ! df | grep "$crypt_partition" > /dev/null 2>&1 ;then + echo -e "\n\t\033[1;33mPartition \"$part_name\" is NOT mounted..\033[0m" +else + echo -n -e "\n\tUnmounting Partition $mount_point..\t\t" + /bin/umount $crypt_partition > /dev/null 2>&1 + + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]" + else + echo -e " [ \033[1;32mdone\033[0m ]" + fi + + echo -n -e "\tDecrypting $part_name..\t\t\t" + cryptsetup luksClose $part_name > /dev/null 2>&1 + + if [ $? -ne 0 ] ; then + echo -e " [ \033[1;31mfailed\033[0m ]\n" + else + echo -e " [ \033[1;32mdone\033[0m ]\n" + fi +fi + +echo "" +exit 0 diff --git a/unlock_cryptkey_via_ssh.sh b/unlock_cryptkey_via_ssh.sh new file mode 100755 index 0000000..9dfeb4f --- /dev/null +++ b/unlock_cryptkey_via_ssh.sh @@ -0,0 +1,56 @@ +#!/bin/sh + +PREREQ="dropbear" + +prereqs() { + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. "$CONFDIR/initramfs.conf" +#. /usr/share/initramfs-tools/hook-functions + +if [ "$DROPBEAR" != "n" ] && [ -r "/etc/crypttab" ] ; then + # fix for dropbear in Ubuntu 12.04 x86_64 + [ -d /lib/x86_64-linux-gnu ] && cp -p /lib/x86_64-linux-gnu/libnss_* "$DESTDIR/lib/" + + mkdir -m 755 -p "$DESTDIR/lib/unlock" + +##### /bin/unlock +cat > "${DESTDIR}/bin/unlock" < "$DESTDIR/lib/unlock/plymouth" <<-EOF +#!/bin/sh +[ "\$1" == "--ping" ] && exit 1 +exec /bin/plymouth "\$@" +EOF +##### EOF /lib/unlock/plymouth + + chmod 755 "$DESTDIR/bin/unlock" + chmod 755 "$DESTDIR/lib/unlock/plymouth" + + # enable password login + [ -n "$SSHUSERPASS" ] && + touch "$DESTDIR/etc/shadow" && chmod 640 "$DESTDIR/etc/shadow" && + getent shadow "$SSHUSERPASS" | sed -n "s/^$SSHUSERPASS:/root:/p" /etc/shadow >> "$DESTDIR/etc/shadow" + + sed -i'' 's|^\(root:.*\):[^:]*$|\1:/bin/sh|' "$DESTDIR/etc/passwd" +fi